This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.
11. What does it mean? #owasp4
detectify
“A direct object reference occurs
when a developer exposes a reference
to an internal implementation object,
such as a file, directory, or database
key. !
!
Without an access control check or
other protection, attackers can
manipulate these references to access
unauthorized data.”
12. I! Insecure
D! Direct
O! Object
R! Reference
detectify
Without proper access control
exposing unauthorized data,
such as a file, directory, or
database key.
17. detectify
Business Impact #obvious
• Keys, Passwords!
• Credit Card Data!
• User Information / Email!
• Invoices / Billing Data!
18. Business Impact #notsoobvious
Numeric IDs for Order Receipts!
!
“Not found” vs “No access”!
!
Poll every day, you get analytics!!
$$$!
detectify
19. Business Impact #notsoobvious
Numeric IDs for email invites = spam.!
!
!
detectify
Found
by
d4d1a179c0f3
https://hackerone.com/reports/1533
20. Business Impact #evenworse
Change Delivery Address of an order.!
!
Deleting another user’s information.!
!
Reclaiming other user’s data. Gift
Certificates anyone?
detectify
22. detectify
Why so few? #ohnoez
1. No secure access model.!
!
“User X should only have access to A”
“User X that has access to A should only have access to B”!
!
and so on…
23. detectify
Why so few? #ohnoez
2. Numeric IDs.!
!
Enumerable/Sequential. Decrease value with 1 and try. !
!
Easy to test. Easy to attack.
24. detectify
Why so few? #ohnoez
3. Error messages show and tell.!
!
“User X cannot view object owned by User Y”!
!
“No access to this object” !
!
“Object does not exist”
25. detectify
Why so few? #ohnoez
4. Inconsequent ID sources.!
!
/receipt/view/434!
!
/receipt/?view=434!
!
POST /receipt/view/ HTTP/1.1!
receipt=434
26. detectify
Why so few? #ohnoez
5. Lack of proper code review.!
!
How to automate this?
28. detectify
Example – Twitter
Credit Card deletion from other users.!
!
Sequential IDs when deleting cards.!
!
Bounty $2,800
Found
by
secgeek
(Ahmed
Aboul-‐Ela)
https://hackerone.com/reports/27404
29. detectify
Example – Oculus
RCE through IDOR!
!
Sequential IDs when updating users.!
!
Bounty in total $25,000
Found
by
Bitquark
(Jon)
https://bitquark.co.uk/blog/2014/08/31/
popping_a_shell_on_the_oculus_developer_portal
30. detectify
Example – Square
Update other users / Get user info!
!
ID as hashes, but visible using Google.!
!
No check if user was in another company.!
!
Bounty $3,000
! https://hackerone.com/reports/23126
31. detectify
Example – Zapier
Get log-history from other user’s Zaps.!
!
Contained sensitive information such as
OAuth tokens / Credentials,!
!
No access control for log entries.!
!
Bounty $3,000
! https://zapier.com/engineering/bug-‐bounty-‐program/
32. detectify
Example – getClouder
Remove Cloud Scaling for other users.!
!
No check if user owned the Cloud
Scaling setting.!
!
Bounty $200
33. detectify
Example – WordPress
Get all users on a WordPress site.!
!
.com/?author=1!
!
WONTFIX by Wordpress
! http://hackertarget.com/wordpress-‐user-‐enumeration/
35. detectify
Doing it right. #hellyeh
1. User ID in Session or Token!
!
/user/view/me!
/user/transactions
36. detectify
Doing it right. #hellyeh
2. Make generic access model and stick to it.!
!
function get($type, $id) { //check access for all objects }!
!
$user->get(‘transaction’, $id);! // if not owned by user!
! ! ! ! ! ! ! ! // then error!!
37. detectify
Doing it right. #hellyeh
3. Access model in routes or controllers.!
!
Stick to it! Easy to miss.!
!
39. Quick repetition #eatsleepraverepeat
detectify
1. IDORs are bad. Easy to exploit. East to find.!
!
2. Being actively exploited as we speak. Worth €€€!
!
3. Generic access model.!
!
4. Numeric IDs vs Hashes!
!
5. Review your code.
40. detectify
THAT’S ALL FOLKS!!
Questions?!
!
by Frans Rosén (@fransrosen)
www.detectify.com