Objective
Learn how to exploit Insecure Direct Object Reference (IDOR) vulnerabilities to access unauthorized resources on the server and understand how to mitigate such risks with proper access controls.
Scenario
You are assessing a web application that allows users to view their profile information. The application references user-specific data through a URL parameter. Due to a lack of proper authorization checks, an attacker can manipulate this parameter to access other users’ data.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and SQL.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
Database Setup
Open phpMyAdmin and create a new database:
CREATE DATABASE idor_lab;Use the database:
USE idor_lab;Create a users table:
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL,
email VARCHAR(100) NOT NULL
);Insert sample users:
INSERT INTO users (username, email) VALUES ('alice', '[email protected]');
INSERT INTO users (username, email) VALUES ('bob', '[email protected]');PHP Script for Profile Access
Create a file profile.php:
<?php
$conn = mysqli_connect("localhost", "root", "", "idor_lab");
if (isset($_GET['id'])) {
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = '$id'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) > 0) {
$user = mysqli_fetch_assoc($result);
echo "<h2>Profile Information</h2>";
echo "<p>Username: " . $user['username'] . "</p>";
echo "<p>Email: " . $user['email'] . "</p>";
} else {
echo "<h2>No user found.</h2>";
}
}
?>Running the Application
- Start the Apache server.
- Place
profile.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/profile.php?id=1to view Alice’s profile.
Exploitation Steps
Step 1: Accessing Other Users’ Profiles
- Open
http://localhost/profile.php?id=1to view Alice’s profile. - Modify the URL to
http://localhost/profile.php?id=2to access Bob’s profile.
Expected Result:
- The attacker can view Bob’s profile without authorization.
Step 2: Accessing Sensitive Files (Optional Scenario)
If the application includes file downloads using URLs like:
http://localhost/download.php?file=reports/alice.pdfChange the URL to:
http://localhost/download.php?file=../../../../etc/passwdExpected Result:
- The server may expose sensitive files if file paths are not properly validated.
Solution and Prevention
Problem Analysis
- The application directly uses user input to fetch data without verifying user permissions.
Fixing the Vulnerability
Implement Access Controls
Verify that users can only access their own data:
session_start();
$user_id = $_SESSION['user_id'];
if ($user_id == $_GET['id']) {
$query = "SELECT * FROM users WHERE id = '$user_id'";
$result = mysqli_query($conn, $query);
$user = mysqli_fetch_assoc($result);
echo "<h2>Profile Information</h2>";
echo "<p>Username: " . $user['username'] . "</p>";
echo "<p>Email: " . $user['email'] . "</p>";
} else {
echo "<h2>Access Denied!</h2>";
}Use Indirect References
Replace predictable IDs with random tokens or UUIDs.
Enforce Role-Based Access Control (RBAC)
Define roles and restrict resource access based on user roles.
Validate File Paths
Prevent directory traversal in file access:
$file = basename($_GET['file']);
$file_path = "reports/" . $file;Testing After Fix
- Log in as Alice and access
http://localhost/profile.php?id=1. - Attempt to access Bob’s profile using
http://localhost/profile.php?id=2. - Expected Result:
- Access to Bob’s profile is denied.
Conclusion
In this lab, you exploited an Insecure Direct Object Reference (IDOR) vulnerability to access unauthorized user data. You also learned how to secure applications by implementing proper access controls, using indirect object references, and validating file access.
0 Comments