If you have followed the steps in my earlier blog you will have set up Security Shepherd on your Virtual machine platform. If you have got that far, continue. If not you need to do that first.
Welcome to lesson one on Insecure Direct Object Reference, the first task on the Security Shepherd menu. The fourth vulnerability on the OWASP Top Ten list is Insecure Direct Object Reference, also called IDOR. It refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. In such cases, the attacker can manipulate those references to get access to unauthorized data.
So let’s try to apply that knowledge to our SecShep problem. In the first task we have the following screen.
So now we know what the vulnerability is. How can we exploit it?
By manipulating the traffic that serves that specific request to the server in question. So let’s try that.
This is where an intercepting proxy comes in handy. There are many, ZAP comes to mind, but for the purpose of this post we will keep it simple and use the default tools of Kali.
Firstly we need our traffic to go through a local (your VM) browser proxy. Easily done. In your Kali instance browser download FoxyProxy to have the ability to tell it which port your internet connection is connected to, just before it hits the internet. Once you download it, click it and the following screen will appear.
Choose add a proxy on the right hand button and add the following details .
In the address field type: 127.0.0.0 and in the port field type 8080, as this is the port Burp (our proxy) listens on.
This is telling our browser to go through our intercepting proxy before our request hits the server.
BurpSuite is my intercepting proxy of choice. It comes as a default program in Kali but is also available for other platforms here.
When you do that, open it, hit the Proxy tab and make sure the Intercept is on.
With Burp we can prevent the requests we make to a server from executing before we make any changes. So, in essence, manipulate the packet before it goes across the wire. We need that for this level in Security Shepherd.
For this Security Shepherd lesson there’s a Refresh your Profile option.
Let’s do that and capture the traffic before it hits the server. So this means you have Burp set up to intercept the POST request to the server. This is the request if your are set up properly.
As I mentioned in Insecure Direct Object Reference, sometimes credentials are passed as a parameter in the code and as we can see at the bottom of the request we have a username as “guest”. How about we change that value to something else and make the application do something it’s not supposed to? Like maybe:
admin? Hit the forward button and you should be admin when you return to the browser ;); This will give you the solution key.
The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
Establishing a standard way of referring to application objects is important:
- Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
- Validate any private object references extensively with an “accept known good” approach
- Verify authorization to all referenced objects
The best solution is to use an index value or a reference map to prevent parameter manipulation attacks.
If you must expose direct references to database structures, ensure that SQL statements and other database access methods only allow authorized records to be shown:
int cartID = Integer.parseInt( request.getParameter( "cartID" ) );
User user = (User)request.getSession().getAttribute( "user" );
String query = "SELECT * FROM table WHERE cartID=" + cartID + " AND userID=" + user.getID();
How to exploit
Thanks for reading “,
Let me know what you think in the comments below, happy hacking.