Today, I will talk about the vulnerability Insecure direct object reference.
Table of contents:
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization, unless an access control check is in place.
For example, in Internet Banking applications, it is common to use the account number as the primary key. Therefore, it is tempting to use the account number directly in the web interface.
In the context, I was exploiting a vulnerable VM, Seattle VM from vulnhub. It contains several web vulnerabilities.
By browsing the website, we discover that author are registered according to an id:
Therefore by testing all id, I can list all author on the website.
What are the information sent to the server whenever a request is done ?
I make a small python script to check if more author are on the website:
The result of my script:
Unfortunately, no more author are referenced on the website. But I have only test for positive id’s, many there where negative but I doubt.
Network analysis for the first three web request looking for id’s:
We could that the author number one exist because the server response is different from the “author=0” and “author=2”.
Always check on the server side that the user has the right to access the resource he is requesting for.
Also, add entropy on the ID to make sure a classic bruteforce cannot determine all referenced users through their ID range.
This is a classic vulnerability for people looking for privilege escalation or in order to access in an unauthorized area of the web application, “id=admin” for example.