Insecure direct object references (IDOR) is a vulnerability that allows access to parts of the webapp a particular user doesn’t necessarily have permission to. An example of it can be having consecutive numbers enumerating user accounts or text files stored on a server.
As a proof of concept “This lab stores user chat logs directly on the server’s file system and retrieves them using static URLs.
Solve the lab by finding the password for the user `carlos`, and logging into their account.”
Using the “live chat” feature we can create a chat transcript as we communicate.
Webapp saves the transcripts consecutively as clearly we can see.
We can look at the traffic saved by BurpSuite, send one of those GET requests to the intruder, and craft our attack.
We will use the sniper attack type since we are only working with a single injection point.
There is no need for a word list since it is a simple case, so we can just use consecutive numbers to find what we are looking for.
Here, we manage to pull the transcript of the chat with a password! Let’s use it!
Carlos’ account is accessed and a lab is solved.
Mitigation of this vulnerability may include doing access control and verifying that a particular user is in fact authorized to have an access to this account. Also, having numbers randomly generated makes it much harder to guess.