Searching for IDOR errors, has never been easier with the Autorize extension

Tram Ho

Undoubtedly finding IDOR errors is a regular job for the pentester or hunters. But what is the IDOR error here: -?

What is an IDOR vulnerability?

On a clear day, you naturally see your personal data being changed. You suspect that an administrator has poked your personal data. Or is some hacker trying the function =))? Most likely the website has an IDOR error. So what is IDOR error and how does it work.

IDOR (INSECURE DIRECT OBJECT REFERENCE) is a security hole in which users can access and change data of any other users in the system. It is ranked 4th in the OWASP Top 10 list of web security vulnerabilities since 2013. This attack can occur without any authentication mechanism that allows an attacker to use these references to read. , change or use unauthorized data.

For example: Your website has the function of viewing user information via ID identifier

Request:

Response:

These are personal data that are normally viewable only by that user’s account. But Attacker can change the id value to be able to see other users’ information.

Response:

Or even the function of adding, editing, deleting information that this user can perform for other user accounts is also called IDOR error.

How to test IDOR vulnerability

To check IDOR error on a website, we use 2 different accounts, log in 2 accounts in 2 different browsers. Then use the functions of this account, try to change the parameters passed, but it corresponds to the other account.

Usually for me, I catch the request of an account via BurpSuite, then move that request to the Repeater tab. Try changing the values, the parameters on the URL for the second account. Check response and return to account 2 to check whether any data has been changed or not. This job is quite time consuming. If a website has many functions, then for a pentester to test all of it to avoid “falling in the net” =)).

To minimize the time to test IDOR, I need tools to be able to test faster, less time wasting on this. Recently I am also using some good Burp extensions to test IDOR errors.

Autorize

You can install Autorize from the BApp Store in Burp.

To know more about the other options in this extension, you can go to the homepage to update Autorize

Automation – For each Request you make, this extension will make 2 more requests, 1 is to use Cookies of the 2nd account that you configure, 2 are requests that do not use Cookies, that is, users have not made log in.

We can use 2 accounts: User A: Administrator User B: Normal user

Browse the web application with user A and add user B’s cookie in Autorize’s automatic mode.

We can add filters so we can get the results we want, avoid spam results and affect the information we receive.

Click the Autorize in on button to make the extension work, and start browsing normally as an administrator (user A).

As shown above, you can see that the length of the response returned by user A and user B is equal. It is possible that there is an IDOR error here, so you should check it again for sure. If the error code returned by user B is 403, the error for IDOR is not available.

Just browse the website and try out the administrator and regular user privileges. If the normal user’s request returns 200 for the administrator’s functionality, you need to check back now. Most likely it was an IDOR error. Same for the normal user’s functions together. See if one person can update or delete the other’s information.

Many other features are waiting for you to explore with this extension. Using it helps me a lot of time and effort when checking for IDOR errors, and it can cover all the possibilities that I can ignore.

Reference

Share the news now

Source : Viblo