🕯️IDOR TO Account Takeover

-------------------------------------------------------------

IDOR How to find

  1. Find the endpoint within the request.

  2. Change the ID to another account you own - don't test on an account you don't own.

  3. if it works it's an IDOR.

  4. Find endpoints that require admin permissions.

  5. Login to an account to the admin endpoints, changing the cookie.

  6. if it works it's an IDOR.

-------------------------------------------------------------

  1. درخواست کے اندر اختتامی نقطہ تلاش کریں۔

  2. ID کو اپنے کسی دوسرے اکاؤنٹ میں تبدیل کریں - ایسے اکاؤنٹ پر ٹیسٹ نہ کریں جس کے آپ مالک نہیں ہیں۔

  3. اگر یہ کام کرتا ہے تو یہ IDOR ہے۔

  4. ایسے اختتامی مقامات تلاش کریں جن کے لیے منتظم کی اجازت درکار ہو۔

  5. کوکی کو تبدیل کرتے ہوئے ایڈمن اینڈ پوائنٹس پر ایک اکاؤنٹ میں لاگ ان کریں۔

  6. اگر یہ کام کرتا ہے تو یہ IDOR ہے۔

-------------------------------------------------------------

Tips to Find IDOR

  • APIs can be great for finding IDORs

  • It never hurts to do some recon on the API endpoints

  • Sometimes validation might only be client side, so worth it to do everything in Burp

  • IDORs can appear in many different kinds of web apps

  • The impact of an IDOR can range from low to critical

-------------------------------------------------------------

Method IDOR Deleting other People's Tasks

  1. Creating a task with User A

  2. Login with user B

  3. Create a task with user B

  4. Turn on interceptor

  5. Delete User B task

  6. Change the ID to User A task in an interceptor

--------------------

  1. صارف A کے ساتھ ایک کام بنائیں

  2. صارف B کے ساتھ لاگ ان کریں۔

  3. صارف B کے ساتھ ایک ٹاسک بنائیں

  4. انٹرسیپٹر آن کریں۔

  5. صارف B کا کام حذف کریں۔

  6. انٹرسیپٹر میں ID کو User A کام میں تبدیل کریں۔

-------------------------------------------------------------

Method IDOR Bug to See Hidden Function of any user even when you don't have access right

  • Create 2 accounts: admin, guest

  • Use the admin account to create a function

  • Change the visibility setting so people cannot see the function

  • The guest account can still view the function ID via a request

  • Impact: Users can see the hidden function

--------------------

2 اکاؤنٹس بنائیں: منتظم، مہمان

فنکشن بنانے کے لیے ایڈمن اکاؤنٹ کا استعمال کریں۔

مرئیت کی ترتیب کو تبدیل کریں تاکہ لوگ فنکشن کو نہ دیکھ سکیں

مہمان اکاؤنٹ اب بھی درخواست کے ذریعے فنکشن ID دیکھ سکتا ہے۔

اثر: صارفین پوشیدہ فنکشن دیکھ سکتے ہیں۔

-------------------------------------------------------------

How to Bypass access authorization authentication using the OPTIONS method

GET /instructor/performance/students/?course_id=497558 HTTP/1.1 : 403 Forbidden

OPTIONS /instructor/performance/students/?course_id=497558 HTTP/1.1: 200 OK

-------------------------------------------------------------

Simple --> IDOR

  1. login 1st Account

  2. open cookie Editor and Change Cookie/JWT Value and Enter

  3. then Refresh the page and See the Responce> BOOM

-------------------------------------------------------------

Autorize --> IDOR

  1. login Attacker Account and Victim Account

  2. open cookie Editor and Copy Attacker Cookie/JWT Value with Header

  3. open Autorize Extention in Burp-suite

  4. and Paste Cookie/JWT Value with Header

  5. and Add filters

  6. (1) Scope items only (2) URL Not Contains (simple String): socket.io (3) URL Contains (regex): .+/api/.+

  7. then tick Auto-Scroll Check Box

  8. Click the Autorize Box on

  9. then Manuly Chek Authorization and Authentication and Privilege Access Functions on Victim Account and With See the Result on Autorize TAB

-------------------------------------------------------------

Graphql Introspection to Account Takeover

1- Tried Logical Manipulation or (Parameter Pollution) and Supplied IDs (UUID) like attackerid,victimid and it returned Victim's Auth Token.

2- Using the victim's auth token, changed their email address to Attacker Controlled Email and reset their Password, and have Full Control of their Victim Account.

-------------------------------------------------------------

Insecure Direct Object Reference -> IDOR

1- Register on website

2- In account settings, we have a parameter called ID, It’s have normal ID

3- I register a second account

4- Change the email and ID for second account

5- email changed successfully

6- Reset password then takeover

-------------------------------------------------------------

Privilege escalation to Acceso admin panel with Full Control

1- register account

2- intercept request

3- here’s the response in image so in “role” parameter we have ROLE_USER So I don’t know what I can replace it to privilege my account to admin

4- Open source code and look in JS files

5-So in js files I user ctrl+F to search about “user_role” i found another value that’s called “admin_role”

6- so I use match and replace to replace values

7- Boom privilege my account to admin account with full control

-------------------------------------------------------------

Test IDOR Vulnerability that leads to All User Data Leakage

  1. Change the /me Endpoint to /user.

  2. Change the GET Method to POST.

  3. Add Content-Type: application/json header.

  4. Add this Payload to the HTTP Request Body. Payload: {"ids":["1"]}

-------------------------------------------------------------

IDOR on upload Profile functionality

Vulnerable URL: https://██████████/███████ID/#Common/EditOne/Person/{account_id} steps to reproduce:

1).browse the image and click on the upload button

2).capture this request in burp suite

3). Change the value 'personId' parameter to account2 account_id (please see screenshot1)

4).then goes to account2, then you will see the uploaded image is successfully goes to the approved tab

Impact

An attacker is able to change the profile image of any user

-------------------------------------------------------------

Broken Access Controls Tips and tricks for finding

  1. Identify sensitive functions and data.

  2. Test for access control bypass by modifying user IDs in requests.

  3. Check for IDOR vulnerabilities by modifying unique identifiers in URLs.

  4. Test role-based access control (RBAC) by logging in with different user roles.

  5. Look for unprotected APIs and see if you can update another user's profile.

  6. Test for horizontal and vertical privilege escalation by modifying session tokens.

-------------------------------------------------------------

Server Security Misconfiguration

1- Capture reset password request

2- Send it to intruder

3- Repeat request 50 times

4- If you get 50 messages in your email (reset password) you can report it

-------------------------------------------------------------

Session Hijacking testing steps

  1. Login your account

  2. Use cookie editor extension in browser

  3. Copy all the target cookies

  4. Logout your account

  5. Paste that cookies in cookie editor extension

  6. Refresh page if you are logged in then this is a session hijacking

-------------------------------------------------------------

PreviousMsfvenom Cheatsheet: Windows ExploitationNextMy Information Disclosure Methodology

Last updated