Abstract image of a woman sitting on books and studying on a laptop

Insecure direct object reference (null delhi meet)

Abhinav Mishra, profile picture
Abhinav Mishra

This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.

Education
1 of 10
Downloaded 23 times
1
2
Most read
3
4
5
6
7
Most read
8
9
Most read
10
Insecure Direct Object Reference What, Why, and How? Presented by, Abhinav Mishra Founder, ENCIPHERS www.enciphers.com
First thing’s first. Why IDOR? Why talk about a vulnerability like IDOR when there are more intense attacks like SQL Injection and Remote Code Execution? ● Exploitation is cool ● Very common in Rest API ● Scanners are useless in discovering them ● High impact ● Great bounty
Also... Can’t see IDOR in OWASP TOP 10 2017?
What is IDOR? Consider a URL for deleting the profile pic of a certain user: https://samplesite.com/deleteProfilePic?id=127 If the application is vulnerable to IDOR: https://samplesite.com/deleteProfilePic?id=128 Will delete the Profile Pic of Another User having the id of “128”
So what is an Object? ● Any user data/information like, pictures, profile, account, files etc ● Social Network: ○ Posts, users (blocked?), videos, pics, friends etc ● Ecommerce: ○ Credit card, private info, cart ● Other: ○ Messages, private posts, friends, files, documents etc
Another bad example... Let’s suppose this is the URL which you get when you want to see your purchases from your favorite e-commerce site: https://ecommercesite.com/purchase.html?uid=25673 What if the application is vulnerable to IDOR: https://ecommercesite.com/purchase.html?uid=25675 Will show the purchases for some other User whose user id is “25675”
So, how to find these? ● Capture all the traffic in a proxy ● Find all the requests (GET or POST) which has any object identifier like id, pid, uid etc ● Create another account and get the identifiers from both accounts. ● Use one of the account’s sessions/auth header and replay each request with the object identifier from another account. ● Can you access/edit any of the object from another account? ● Report bug, get paid (if not duplicate)
When it’s not actually critical? When the identifiers are like 2896519846826592fgweut924293 You can’t actually guess the other identifiers, then how would you access them? So? Is it no more a vulnerability?
Actually it still can be.. Try to find a way to get other’s identifier values? Example: /api/v2/users/ Or /api/v2/files/ These may not give details of the files, but may give the file identifiers and name etc.
Resources? Bugcrowd Blog: Link Owasp Link How to test (Burp Suite): Link Need help? Find me @0ctac0der

More Related Content

PDF
Burp suite
Yashar Shahinzadeh
 
PPTX
Web application security
Kapil Sharma
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PDF
Api security-testing
n|u - The Open Security Community
 
PDF
IDOR Know-How.pdf
Bhashit Pandya
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PDF
Web application security & Testing
Deepu S Nath
 
PPTX
Pentesting ReST API
Nutan Kumar Panda
 
Burp suite
Yashar Shahinzadeh
 
Web application security
Kapil Sharma
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Api security-testing
n|u - The Open Security Community
 
IDOR Know-How.pdf
Bhashit Pandya
 
Introduction to Malware Analysis
Andrew McNicol
 
Web application security & Testing
Deepu S Nath
 
Pentesting ReST API
Nutan Kumar Panda
 

What's hot (20)

PDF
Web Application Penetration Testing
Priyanka Aash
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PDF
Bug bounty null_owasp_2k17
Sagar M Parmar
 
PPT
Application Security
Reggie Niccolo Santos
 
PPT
Secure code practices
Hina Rawal
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
PDF
SSRF workshop
Ivan Novikov
 
PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PDF
Broken access controls
Akansha Kesharwani
 
PDF
Owasp top 10
YasserElsnbary
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
PDF
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
PPT
Introduction To OWASP
Marco Morana
 
PDF
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Web Application Penetration Testing
Priyanka Aash
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
OWASP API Security Top 10 - API World
42Crunch
 
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Application Security
Reggie Niccolo Santos
 
Secure code practices
Hina Rawal
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
SSRF workshop
Ivan Novikov
 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
OWASP Top 10 2021 What's New
Michael Furman
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Broken access controls
Akansha Kesharwani
 
Owasp top 10
YasserElsnbary
 
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Introduction To OWASP
Marco Morana
 
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Ad

Similar to Insecure direct object reference (null delhi meet) (20)

PDF
IDOR.pdf
Okan YILDIZ
 
PDF
IDOR.pdf
Okan YILDIZ
 
PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
PPTX
2022 APIsecure_Go Hack Yourself: API Hacking for Beginners
APIsecure_ Official
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PPTX
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure_ Official
 
PPTX
OAuth
Anand Rai
 
PDF
Owasp.meet up.2017.ppt
Sul Haedir
 
PDF
API Testing and Hacking.pdf
VishwasN6
 
PDF
API Testing and Hacking (1).pdf
Vishwas N
 
PDF
API Testing and Hacking.pdf
Vishwas N
 
PDF
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
PDF
APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
apidays
 
PDF
Astra-Security-Sample-VAPT-Report leadind auditt.pdf
bipinbhattarai12
 
PDF
OWASP API Security Top 10 Examples
42Crunch
 
PDF
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
PPTX
API Security Fundamentals
José Haro Peralta
 
PDF
APIsecure 2023 - Breaking Vulnerable APIs, Tushar Kulkarni
apidays
 
PDF
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 
PDF
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
DevOps.com
 
IDOR.pdf
Okan YILDIZ
 
IDOR.pdf
Okan YILDIZ
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
2022 APIsecure_Go Hack Yourself: API Hacking for Beginners
APIsecure_ Official
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure_ Official
 
OAuth
Anand Rai
 
Owasp.meet up.2017.ppt
Sul Haedir
 
API Testing and Hacking.pdf
VishwasN6
 
API Testing and Hacking (1).pdf
Vishwas N
 
API Testing and Hacking.pdf
Vishwas N
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
APIsecure 2023 - Your Technical Debt is My Bug Bounty, Dr. Katie Paxton-Fear
apidays
 
Astra-Security-Sample-VAPT-Report leadind auditt.pdf
bipinbhattarai12
 
OWASP API Security Top 10 Examples
42Crunch
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
API Security Fundamentals
José Haro Peralta
 
APIsecure 2023 - Breaking Vulnerable APIs, Tushar Kulkarni
apidays
 
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
DevOps.com
 
Ad

More from Abhinav Mishra (7)

PPTX
Peerlyst Delhi NCR Chapter Meet
Abhinav Mishra
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
PDF
The art of android hacking
Abhinav Mishra
 
PDF
Android Security Basics
Abhinav Mishra
 
PDF
How not to make a hacker friendly application
Abhinav Mishra
 
PDF
Anatomizing online payment systems: hack to shop
Abhinav Mishra
 
Peerlyst Delhi NCR Chapter Meet
Abhinav Mishra
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
The art of android hacking
Abhinav Mishra
 
Android Security Basics
Abhinav Mishra
 
How not to make a hacker friendly application
Abhinav Mishra
 
Anatomizing online payment systems: hack to shop
Abhinav Mishra
 

Recently uploaded (20)

PDF
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
PPTX
4. Diagnosis and treatment planning in RPD.pptx
rakshasb
 
PPT
Acidosis in Dairy Herds: Causes, Signs, Management, Prevention and Treatment
khosrowsamiei2001
 
PDF
BSc-Zoology-02Sem-DrVijay-Comparative anatomy of vertebrates.pdf
ps6013234
 
PPTX
operating_systems_presentations_delhi_nc
Sagar878973
 
PPTX
Key-Features-of-the-SHS-Program-v4-Slides (3) PPT2.pptx
abdurakibtingsonjali
 
PPTX
Unit 1 aayurveda and nutrition presentation
branstark0011
 
PPTX
IT infrastructure and emerging technologies
dhananjaymane12
 
PPTX
ACFE CERTIFICATION TRAINING ON LAW.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
PDF
CHALLENGES FACED BY TEACHERS WHEN TEACHING LEARNERS WITH DEVELOPMENTAL DISABI...
HarlynCaballero1
 
PPTX
Q2 Week 1.pptx Lesson on Kahalagahan ng Pamilya sa Edukasyon
juliemarbetio1
 
PDF
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
PPTX
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
PDF
CAT 2024 VARC One - Shot Revision Marathon by Shabana.pptx.pdf
VaibhavBhardwaj394603
 
PDF
WHAT NURSES SAY_ COMMUNICATION BEHAVIORS ASSOCIATED WITH THE COMP.pdf
shaheraharby
 
PPTX
principlesofmanagementsem1slides-131211060335-phpapp01 (1).ppt
Jeyasunitha
 
PPTX
Neurological complocations of systemic disease
BisratAlex2
 
PDF
Kalaari-SaaS-Founder-Playbook-2024-Edition-.pdf
savannetflix
 
PDF
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
PDF
Everyday Spelling and Grammar by Kathi Wyldeck
JohanaWulandari2
 
faiz-khans about Radiotherapy Physics-02.pdf
FrancisKazoba
 
4. Diagnosis and treatment planning in RPD.pptx
rakshasb
 
Acidosis in Dairy Herds: Causes, Signs, Management, Prevention and Treatment
khosrowsamiei2001
 
BSc-Zoology-02Sem-DrVijay-Comparative anatomy of vertebrates.pdf
ps6013234
 
operating_systems_presentations_delhi_nc
Sagar878973
 
Key-Features-of-the-SHS-Program-v4-Slides (3) PPT2.pptx
abdurakibtingsonjali
 
Unit 1 aayurveda and nutrition presentation
branstark0011
 
IT infrastructure and emerging technologies
dhananjaymane12
 
ACFE CERTIFICATION TRAINING ON LAW.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
CHALLENGES FACED BY TEACHERS WHEN TEACHING LEARNERS WITH DEVELOPMENTAL DISABI...
HarlynCaballero1
 
Q2 Week 1.pptx Lesson on Kahalagahan ng Pamilya sa Edukasyon
juliemarbetio1
 
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
CAT 2024 VARC One - Shot Revision Marathon by Shabana.pptx.pdf
VaibhavBhardwaj394603
 
WHAT NURSES SAY_ COMMUNICATION BEHAVIORS ASSOCIATED WITH THE COMP.pdf
shaheraharby
 
principlesofmanagementsem1slides-131211060335-phpapp01 (1).ppt
Jeyasunitha
 
Neurological complocations of systemic disease
BisratAlex2
 
Kalaari-SaaS-Founder-Playbook-2024-Edition-.pdf
savannetflix
 
fundamentals-of-heat-and-mass-transfer-6th-edition_incropera.pdf
gloryjsingh
 
Everyday Spelling and Grammar by Kathi Wyldeck
JohanaWulandari2
 

Insecure direct object reference (null delhi meet)

  • 1. Insecure Direct Object Reference What, Why, and How? Presented by, Abhinav Mishra Founder, ENCIPHERS www.enciphers.com
  • 2. First thing’s first. Why IDOR? Why talk about a vulnerability like IDOR when there are more intense attacks like SQL Injection and Remote Code Execution? ● Exploitation is cool ● Very common in Rest API ● Scanners are useless in discovering them ● High impact ● Great bounty
  • 3. Also... Can’t see IDOR in OWASP TOP 10 2017?
  • 4. What is IDOR? Consider a URL for deleting the profile pic of a certain user: https://samplesite.com/deleteProfilePic?id=127 If the application is vulnerable to IDOR: https://samplesite.com/deleteProfilePic?id=128 Will delete the Profile Pic of Another User having the id of “128”
  • 5. So what is an Object? ● Any user data/information like, pictures, profile, account, files etc ● Social Network: ○ Posts, users (blocked?), videos, pics, friends etc ● Ecommerce: ○ Credit card, private info, cart ● Other: ○ Messages, private posts, friends, files, documents etc
  • 6. Another bad example... Let’s suppose this is the URL which you get when you want to see your purchases from your favorite e-commerce site: https://ecommercesite.com/purchase.html?uid=25673 What if the application is vulnerable to IDOR: https://ecommercesite.com/purchase.html?uid=25675 Will show the purchases for some other User whose user id is “25675”
  • 7. So, how to find these? ● Capture all the traffic in a proxy ● Find all the requests (GET or POST) which has any object identifier like id, pid, uid etc ● Create another account and get the identifiers from both accounts. ● Use one of the account’s sessions/auth header and replay each request with the object identifier from another account. ● Can you access/edit any of the object from another account? ● Report bug, get paid (if not duplicate)
  • 8. When it’s not actually critical? When the identifiers are like 2896519846826592fgweut924293 You can’t actually guess the other identifiers, then how would you access them? So? Is it no more a vulnerability?
  • 9. Actually it still can be.. Try to find a way to get other’s identifier values? Example: /api/v2/users/ Or /api/v2/files/ These may not give details of the files, but may give the file identifiers and name etc.
  • 10. Resources? Bugcrowd Blog: Link Owasp Link How to test (Burp Suite): Link Need help? Find me @0ctac0der