PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  1. Web App Pentesting

IDOR

Description: Insecure Direct Object References (IDOR) occur when an application exposes a reference to an internal object, such as a file, database record, or URL, without proper access control. This allows attackers to manipulate the reference to gain unauthorized access to data or functions.

Example with Scenario: Imagine an e-commerce website where users can view their order details by accessing a URL like http://example.com/order?id=1234. If the application does not verify whether the authenticated user is authorized to view order 1234, an attacker could change the id parameter to access other users' orders.

Payloads and Test Cases:

  1. Basic IDOR to Access Unauthorized Data:

    • URL: http://example.com/order?id=1234

    • Payload: Change id to another order number, e.g., http://example.com/order?id=1235

    • Test Case: Verify if the application allows access to the order details for id=1235 without proper authorization checks.

  2. IDOR in API Endpoints:

    • API Request: GET /api/user/1234/profile

    • Payload: Change user ID to another user's ID, e.g., GET /api/user/1235/profile

    • Test Case: Check if the API returns the profile details for user 1235 without authorization.

  3. IDOR in File Download:

    • URL: http://example.com/download?file=report1234.pdf

    • Payload: Change file parameter to another file name, e.g., http://example.com/download?file=report1235.pdf

    • Test Case: Ensure that the application prevents unauthorized file downloads by checking proper permissions.

  4. IDOR in User Management:

    • URL: http://example.com/admin/user/edit?id=1234

    • Payload: Change id to another user's ID, e.g., http://example.com/admin/user/edit?id=1235

    • Test Case: Verify if non-admin users can edit or view details of other users without proper authorization.

  5. IDOR in Account Settings:

    • URL: http://example.com/account/settings?id=1234

    • Payload: Change id to another account ID, e.g., http://example.com/account/settings?id=1235

    • Test Case: Check if users can access or modify other users' account settings.

  6. IDOR in Deletion Functionality:

    • URL: http://example.com/delete?file=1234

    • Payload: Change file parameter to another file ID, e.g., http://example.com/delete?file=1235

    • Test Case: Ensure that the application checks for proper authorization before allowing deletion of any resource.

Mitigation:

  1. Implement Proper Access Controls:

    • Ensure that every access to sensitive data or functionality checks if the user has the appropriate permissions.

    // Example in Java
User user = getCurrentUser();
Order order = orderService.getOrderById(orderId);
if (!order.getUser().equals(user)) {
    throw new UnauthorizedAccessException();
}

  2. Use Indirect References:

    • Instead of using direct references like database IDs, use indirect references that are mapped to internal objects securely.

    // Map indirect reference to internal ID
String orderRef = "ORD-1234-ABC";
Order order = orderService.getOrderByRef(orderRef);

  3. Input Validation and Sanitization:

    • Validate and sanitize user inputs to ensure they do not contain unauthorized references.

    if (!isValidId(orderId)) {
    throw new InvalidInputException();
}

  4. Log and Monitor Access:

    • Implement logging and monitoring to detect and respond to unauthorized access attempts.

    // Log access attempts
logger.info("User {} accessed order {}", user.getId(), orderId);

  5. Use Frameworks with Built-in Security:

    • Use security frameworks that provide built-in mechanisms for access control and authorization checks.

  6. Perform Regular Security Audits:

    • Regularly review and audit your codebase for potential IDOR vulnerabilities and fix them promptly.

PreviousXXENextSSTI

Last updated 10 months ago