Insecure Direct Object Reference / IDOR Explained // How to Bug Bounty

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
we are officially on week two of the 5we program and this week's video is dedicated on how to look for idor and how is it that I approach a Target look at that specific program and how do I look for idor and if you're not familiar with idor it is one of the most simple vulnerabilities it is just mostly about understanding how an application or API works and kind of digging around it and looking for a way to leak other users information by changing the user ID or object ID's value most of the time it is an integer so by increasing it by 1 2 3 4 5 to 1 2 3 4 5 6 or 1 2 3 4 6 whatever that number is incrementing it or decreasing it by one and seeing if it leaks another user's data but let me show you how exactly I look for it and there are a couple of tricks that you want to look for and it may not be as straightforward so let's jump into our lab and take a look at this week's vulnerability which is idor but before we jump into the lab I got to tell you one good news a lot of you have been asking me for a pro promo code to my course and I know a lot of you are waiting for the update I promise it is coming we have hours of content that's going to get released here in the next couple of months but I know a lot of you guys want free access to the course so here's what I'm going to do during this episode at some point randomly there's going to be a code printed right here somewhere on this screen that's going to allow you to get access to the course for free and after it hits that limit unfortunately I can't give you guys unlimited access to it but once it hits that limit then you can use the link Down Below in the comments and get the course for a discounted price of I think it's $699 right now so if you lose out on the free one go into the comments grab that link and you can also get it for a discounted price now let's jump into the video as always all of these labs are going to be available for you to follow along all you have to do is go to hacking hub.io go look for my 5we program and look for this week's one ability again idore and launch the Hub as I'm doing it right now on the screen and jump into it with me so by the looks of it just looking at this application this looks like a simple store and if we browse around it it's going to have some sort of items for us to purchase we can go back to the shop and then obviously here we have a login page and looking at the screen right here it looks like the lab has given us a username and password so we're going to type in bin and the password password and we're going to log in and take a look at what this side looks like while we're authenticated one of the things that I personally like to do and I highly recommend you also build that habit of doing is I always always always have my Network tab open right here and every time I refresh the page it's just going to Simply show me all the different calls that are being made as soon as the actual page opens and I can take a look off of a glance and honestly your other option is you can you can't switch over to kaido or your burb suit or whatever proxy tool that you use and see it in there but I personally have gone in the habit of just having this open and just looking at it at the bottom of my screen because it kind of gives me an idea of what the website does in the background every time I load a new page and sometimes I just want to understand how the website works and just click around it and look at those calls without jumping into the hacking itself so that's a habit that I've gone into and I know a lot of top hackers do it as well so it may be something you want to actually put into your methodology and I've also seen a lot of top hackers do this as well so it might be one of those habits that you want to build but regardless you have the option of doing that through your tools as well so now that we're logged in we're going to take a look at what user account looks like it looks like we have some settings and if we go to edit right here for example we can edit our user username and our display name for this one because I want to take a deeper look at how it looks I'm actually going to use kaido and proxy through it so we're going to turn on our proxy here and we're going to send update and we can see that it's making a call to this user ID and it's making a post request that actually takes our username and our display name we can send it to our repeater and turn this off now and in repeater we can kind of start fuzzing it and see if there are other vulnerabilities which in this case want to look and see if there's an ID door so sometimes one of the things that I do here is I just simply change this to random ID value like a one something that could be valid or actually exist because a lot of times even though you may see a hash there you may have some sort of a value there it doesn't actually mean that they're not properly mapped to a user ID and an integer so sometimes it is something to look for uh so it doesn't always mean that you have to look for The Hash A lot of times I've seen companies do weird Basics seora encoding also sometimes you'll see companies do weird encoding so just because there's a long hash it doesn't make sense to you doesn't always mean that it's a security measure that works so keep that in mind uh you want to to play around with it and see if that works obviously in this case it doesn't work but we still have other functionalities that we can take a look at but this raises the question of how do we know if there's an idore here if there is a uyu ID or some sort of an ID here that is not integer so in this case if we send this request back one more time going to turn on our queuing again and go to intercept you can see just because this is here doesn't mean that there isn't an ID door so you have a couple of op options here one is obviously you can go down the route of creating your own other accounts you can make two accounts and grab the user IDs for each one and test against each other but you also have the other option so let's say if you're on a pentest and you don't have any other user IDs and you kind of want to see if this is vulnerable for an idore or something like that your other option is to look around and see if you can generate data based on other users activity so one of the things that I notice here is when we click on some of these items there is a bit of a review at the bottom so if I look at the reviews none of these have a review maybe we can find one with a review at some point let's see which one it is this one nope this one yeah there we go so there like Adam has actually made a review on here and at of first clance we can't interact with this account but if we look at the actual users name so we're going to do Adam L we can see that in his photo and his Avatar right here it is taking us to a user with their avatar.png and it looks like if we directly go to it right here that user ID leaks his information this by itself leaking the user's information there isn't anything private or sensitive in this case so this by itself isn't a vulnerability but we've suddenly gone from not knowing how to get user IDs to increase our idor from a low to a high for example or even just have an understanding of how to get a user ID to actually having the capability of looking at those user IDs itself so this by itself isn't a vulnerability just because there isn't anything sensitive here other than the username and their display name but we just went from not having a clue how the user IDs work to a way to be able to actually generate user IDs based on looking at their activities on this website so right here if we look we suddenly have a user ID that we can take and test for an idor especially if we don't have the capability to create other accounts maybe there a pentest that can't give you another account or maybe a bug bounding program where they're giving limited credentials so if you plug that in there we can see that it's going to come back and tell us that you cannot update this record a lot of times what I've noticed with new hackers is that they stopped right here because the most simple form of looking for an idle doesn't work first there's a ual idea of some sort that they can't figure out and then they try one simple functionality and it's not vulnerable they stop looking for vulnerabilities completely here is where a lazy hacker or someone who just wants to look for easy bugs and someone who's willing to do the extra word kind of stand out one of the things that I've noticed a lot of times is that a lot of the high level or Surface area that's super easy to identify either has already been tested and someone's found them reported them or the developers have already fixed but here where it gets really interesting just because that first functionality or the user or the owner account is inv vulnerable to an idle or any other their vulnerabilities doesn't mean that the functionalities underneath it are invulnerable as well so a lot of times what I would do is if I see there isn't an ID door here what I'm going to go and try and do is go deeper into the app and find every single item or object that that user actually owns So for this example if you look there are addresses if I go in here and create a new address we're going to put one two 3 test we're going to put test City we're going to put something like Texas and 1 2 3 4 5 as the zip code and we're going to actually look for this exact address being created so we're going to take a look and create this address look say we have an error and it should be three so we're just going to put test and create it and we can see that it's making another request to this user and it's creating an address with the data that we've given it and if we look at the response for it every time that the address is created it comes back and says hey address was created with ID 300 so it looks like now they're switching over to some sort of a different way of actually organizing this data based on an integer itself within that hash so this is where things get interesting obviously this is a small example but often time in a lot of the larger organizations and a lot of these bigger apps you're going to have a ton more functionality under that user so sometimes you have address you have your shopping cart you have your credit card information and it just gets bigger and bigger and every single one of those functionalities should be tested for idore and just because one doesn't work it doesn't mean that the other on aren't going to work either so we're going to go back to our settings here we're going to look at editing this again so I'm going to run my proxy one more time click edit and it looks like it is actually doing a request that is going to receive this we're also going to send that to our replay or repeater send it over let's see if it works it's going to obviously work because we own this address is going to give us some HTML data but what happens if we update it so once we update this we're going to go back again intercept this and we can see that it is sending a request to this exact specific address with post then there's two things that I want to test here so I'm going to send these both to repeater and the first request in this one it's getting to settings address 299 here is actually going to the user the user ID and then it's passing the address ID so one I want to do a get request to this to see can I actually achieve the raw data for us the answer is yes the next thing is I want to know if I can increase or decrease this if I do 288 it says address was not found giv us a weird error we're going to do 297 296 295 all these are giving us a weird error so there are two options here I don't want to ruin the actual solution for this so I'm going to let it up to you to figure it out and see if you can do it but there are a couple things you can do one is sometimes the get request here isn't going to work so maybe you can't actually receive the data so if you do a get it's always going to give you an error that says hey it doesn't exist but there's sometimes just because the get request isn't work it doesn't mean that the other requests aren't going to work as well in other words just because you can't retrieve data belonging to another user it doesn't necessarily mean that you cannot also edit them as well so sometimes I've seen this here for example if I do get 301 it's going to say hey the doesn't address was not found or if I do let's do a 298 looks like they're each giving us different errors one is giving us a 404 and then the other one says hey not found 222 but if you send the post request in some cases it is going to actually work so what I'm trying to get to here is just because you can't retrieve data doesn't mean you can't also edit them this is where it's important to either have two different user accounts or just finding a way to find another user just testing them against each other so in this case the one thing that the one reason why it's not going to work is because not only we're passing 298 for our own user but also we don't know if we can retrieve the other users's account so we're going to have to go back here to our old session right here we're going to grab this user ID and then we're going to to put this here and then now what we have to do is we have to run this through an automated tool like Intruder or we can send it to uh some sort of a python script or you can do it with here as well is you want to brute force and see which one of these IDs it is actually belonging to that user and see if it eventually updated for us so I'm not going to do that part if you want to solve this on your own this is a good place to learn a little bit of intruder send this to your Intruder or your automation tool and see if you can find the ID that belongs to this user so this is kind of what how idore works a lot of times I see people just look for get based requests and also they just look for hey can I retrieve this functionality and get this object and this data from this user if that doesn't work they give up and they don't test what deleting it modifying it we're just doing these other vulnerable types so just because a get request doesn't work it doesn't mean post put or delete or out of the question as well this is your second vulnerability what I want you to do is if you're not on Discord for the 5e program go to Discord join the program and if you're already part of that program do me a favor let's continue to look for crossy scripting vulnerabilities bacon idle Che methodology and look for idore as well let's go to those five targets that we have posted on our Discord and get to hacking all right that's it I will see you all in next week's video [Music] peace
Info
Channel: NahamSec
Views: 15,014
Rating: undefined out of 5
Keywords:
Id: bCUqio4gNu4
Channel Id: undefined
Length: 13min 27sec (807 seconds)
Published: Wed Feb 28 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.