APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Method for exploiting IDOR on nodejs+mongodb based backend
Luis Alvarado Day, Associate Manager at Arstar IT
2. Who we are?
ARSTAR IT
Arstar IT provides high-profile consulting
services and solutions to several verticals
like:
• Gaming Industry (casinos)
• Agritech
• Localization
• Tech Startups
Founded in 2011. We delivering value to
customers in the USA, Europe and LatAm.
3. What we will be covering
ARSTAR IT
➔ Attack made to a B2C App servicing a Country
capital city (+500k user base)
➔ Blackbox mode. External attacker's perspective
➔ Hunt for IDOR vulnerability
➔ Citizen personal data exfiltration (POC) by
develping a custom API fuzzer
5. IDOR = Insecure Direct Object Reference
ARSTAR IT
According to the OWASP definition:
“ IDOR occurs when a user supplied input is
unvalidated and direct access to the object
requested is provided.”
IDOR is referenced in element A4 of the OWASP Top 10 in the 2013 edition.
IDOR is referenced in element A01 of the OWASP Top 10 in the 2021 edition.
7. Object ID in Relational databases vs mongoDB
ARSTAR IT
Key is usually an integer
It is maintained at Table level
Object Key looks like a string (12byte hex)
It is maintained at System level
SQL MongoDB
8. MongoDB ObjectID
ARSTAR IT
Looks like random but it is definitely not random (100% deterministic)
12-byte structure, represented as a string in json ie:
The structure can be parsed as following:
Note1: machineID will change when working in a cluster/farm environment
Note 2: ProcID will change when the farm node gets restarted
10. Phase 1 - APK Reverse engineering
ARSTAR IT
Used a decompiler and found a clean js file with all the
API routes
Alternative: use an SSL capable rest sniffer like Fiddler
and perform all the possible use cases in the app.
Decompile APK Analyze code Find API routes
11. Phase 2 - Business Object relevance analysis
ARSTAR IT
Inspect the data model and try to determine
which object type contains:
- Personal info (email, social id, location, salary)
- Org private info (invoice amount, client
- System parameters (system settings
singleton)
Subscriptions
Invoices
User
Payslip
12. Phase 3 - IDOR existence validation
ARSTAR IT
1 - Created two accounts (like any regular Joe
signing up)
2 - Obtained a valid firebase token for each
3 - Used token from account A to fetch for a
business object from account B
13. Phase 4 - Fuzzer logic - loading initial data
ARSTAR IT
1 - Collect a sample of licit business object ID (we’ll call them SEEDS)
2 - Parse the mongoId to determine machine id , timestamp etc
14. Phase 4 - Fuzzer logic - loading initial data
ARSTAR IT
● Parameters:
UnixTimeStampMax: For setting a range of seconds to be scanned
CounterMax: For setting a range of counter value to be scanned
● Launch one thread for each found MachineID value. MachineID and process ID will
remain fixed.
● Thread logic
Initial timestamp read from seed objectID
● Loop:
For each TimeStamp value until UnixTimeStampMax, increment step 1s
Increment the counter until it reaches
CounterMax
laod seed
Loop: For each
TimeStamp
Loop: For each counter
value
16. ARSTAR IT
Possible fuzzer performance Improvements
- Bidirectional fuzzing (increasing and decreasing )
- Recycle object keys to enumerate objects from other classes
- beaconing. Injecting new items to detect current objectKey allowing real-time
attack
- Mix faulty requests with licit ones (WAF evasion)
- RPM throttling (WAF evasion)
17. IDOR root causes - common pitfalls
ARSTAR IT
● IDOR is 100% caused by human mistakes and has nothing to do with vulnerable
software, 0 days, or missing patches
● Confusing authentication with authorization
● Lack of granular access control mechanism in the framework. (Or skipping the existing
one)
● Confusing layers: ie “we have SSL in place anyways”, “We are safe because we’ve
implemented Auth0!”
● Product launch frenzy. Features eat the whole sprint.
● Nonexistent access control change management and continuous audit process.
● Thinking that DevSecOps is about scripting stuff for infra provisioning
18. Mitigation - Technical Level
ARSTAR IT
- Monitor changes in your API contract structure (ie swagger contract). Route
additions should never happen unnoticed
- Implement a simple IDOR testing step on the your CI/CD pipelines (you’ll have
to feed it with fresh valid auth tokens)
- Put access control on top of your code-review procedure
- Feed your WAF with 500/404 events
- Do not import the whole API routes contract into the client side files
19. IDOR Mitigation - Product Management Level
ARSTAR IT
- Treat Access Control as a continuous process. Hire a pentester on early stages.
- Evangelize about the difference between Authentication and Authorization
- Understand that a single data leakage will kill your business reputation
- Never promote an MVP / prototype to be the real thing (get the funding to do things right!)
- Embrace complexity (because attackers do).
- Accept a small amount of bureaucracy (c’mon it’s not that tedious)
- Classify the information for each API route.
- Do not mix API scope B2B , B2C , Integrations and Internal scope. Keep those isolated.
Implement only strictly required routes on each.
- Get a framework when deciding on architecture. Vanilla code is way more security error
prone. If you get a framework in place, leverage all its security features
- Treat security as a product feature!
20. Who we are?
ARSTAR IT
Arstar IT provides high-profile consulting
services and solutions to several verticals
like:
• Gaming Industry
• Agritech
• Localization
• Tech Startups.
Founded in 2011. We delivering value to
customers in the USA, Europe and LatAm.