Objective
Learn how to exploit Insecure Direct Object Reference (IDOR) vulnerabilities to access unauthorized files on a server and understand how to implement secure file handling and proper access controls.
Scenario
You are evaluating a web application that allows users to download their uploaded documents. Due to a lack of proper access control, attackers can manipulate request parameters to access sensitive files on the server.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and file handling.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script for File Download
Create a file download.php:
<?php
if (isset($_GET['file'])) {
$file = $_GET['file'];
$filepath = "uploads/" . $file;
if (file_exists($filepath)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($filepath));
readfile($filepath);
exit;
} else {
echo "<h2>File not found.</h2>";
}
}
?>
<h2>Download Your File</h2>
<form method="GET" action="">
File Name: <input type="text" name="file" required><br>
<button type="submit">Download</button>
</form>Creating the Upload Directory
In the project root, create a folder named uploads and add a few files:
mkdir uploads
echo "This is Alice's file." > uploads/alice.txt
echo "This is Bob's file." > uploads/bob.txt
echo "Database password: secret" > config.txtRunning the Application
- Start the Apache server.
- Place
download.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/download.phpin your browser.
Exploitation Steps
Step 1: Accessing Unauthorized Files
Log in as Alice and attempt to download her file by entering:
alice.txtModify the URL or input to access sensitive files:
../../config.txtExpected Result:
- The server allows downloading
config.txt, exposing sensitive information.
Step 2: Accessing Other Users’ Files
Enter bob.txt in the input field while logged in as Alice.
Expected Result:
- Alice can access Bob’s file without authorization.
Solution and Prevention
Problem Analysis
- The application fails to validate user access and allows directory traversal.
Fixing the Vulnerability
Implement Access Control Checks
Verify file ownership before allowing downloads:
session_start();
$user_files = [
'alice' => ['alice.txt'],
'bob' => ['bob.txt']
];
$user = $_SESSION['user'];
if (isset($_GET['file']) && in_array($_GET['file'], $user_files[$user])) {
$filepath = "uploads/" . basename($_GET['file']);
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($filepath));
readfile($filepath);
exit;
} else {
echo "<h2>Access Denied!</h2>";
}Prevent Directory Traversal
Sanitize the input to prevent directory traversal:
$file = basename($_GET['file']);
$filepath = "uploads/" . $file;Use Indirect Object References
Replace direct file references with secure identifiers:
$file_ids = [
'1' => 'alice.txt',
'2' => 'bob.txt'
];
if (isset($_GET['file_id']) && isset($file_ids[$_GET['file_id']])) {
$filepath = "uploads/" . $file_ids[$_GET['file_id']];
readfile($filepath);
}Store Files Outside the Web Root
Move sensitive files to a secure directory not accessible via the web server.
Testing After Fix
- Attempt to access
../../config.txtafter applying the fix. - Expected Result:
- Access is denied, and directory traversal is blocked.
- Attempt to access Bob’s file as Alice.
- Expected Result:
- Alice cannot access Bob’s file.
Conclusion
In this lab, you exploited an Insecure Direct Object Reference (IDOR) vulnerability to access unauthorized files. You also learned how to prevent such attacks by enforcing proper access controls, sanitizing input, and securing file storage.
0 Comments