The document discusses Insecure Direct Object References (IDOR), a security vulnerability that allows attackers to access unauthorized data through predictable web objects. It explains how these vulnerabilities can arise when manipulating input parameters in web requests and highlights the importance of implementing proper access controls to prevent such exploits. Additionally, it touches on testing practices and provides examples of both compliant and non-compliant code related to access control issues.

1. IDOR
Know-How

2. Hello world!
I am Bhashit Pandya
2
- Security consultant
- Community person
- Part-time brawlstar player
You can find me at:
https://bhashit.in
@x30r_

3. 1
What it is?
Let’s start with
what IDORs are..
3

4. Web Objects are unique property
values such as IDs, tag names,
usernames, files, etc.
4

5. Insecure Objects
- Are the vuln that allows an
attacker to access restricted
pages and functionalities
- It is a part of access control
issues.
- They are generally Cyclable,
Predictable, Unpredictable.
5

6. 2
How are the objs vuln?
Lets consider
some examples here..
6

7. They are vuln when used directly to..
▪ Get db records (user.jsp?getUserId=12)
▪ Perform ops (changepass/user/164935)
▪ Get fs resources (getImg?img=IMG_01.jpg)
▪ Access application functionality
(SideNav?menuitem=3)
Replacing the expected input value with a legit unexpected
value for the application that might lead to unauthorized
access to data.
7

8. 3
How to IDOR?
Demo Time!
8

9. OWASP.org
Moving up from 5th
position, it
now holds 1st
position in OWASP
Top – 10 list.
It falls under access
control’s umbrella.
Is it the part of OWASP Standards? Yap!
9

10. - Able to temper cookie with role flag.
Ex: admin=0, admin=1
- Response Manipulation.
- Force Browsing.
- Accessing internal applications.
- Privilege escalations in general.
Etc..
Access Control Issues look like this:
10

11. 4
Whats happening behind?
Let’s dive bit
into the back-end code
11

12. Example:
12
Target: api.example.com
In the profile section, following http req is triggered:
GET /userinfo?employeeid=20224872&deptid=IT HTTP/2
Host: api.example.com
- Observe the employeeid.
- Attacker can cycle 4872 in the same param and create a
script or use intruder to get the entire database.

13. Under the hood (Non-Compliant):
13
GET /userinfo?employeeid=20224872&deptid=IT HTTP/2
Host: api.example.com
app.get('/userinfo', (req, res) => {
const lookup = {}
lookup.employeeID = req.query.employeeid
lookup.deptID = req.query.deptid
const user = getUser(lookup)
res.json(user)
})
function getUser(user) {
const fromDB = lookupGradeInDB(user)
return fromDB
}

14. Under the hood (Compliant):
14
GET /userinfo?employeeid=20224872&deptid=IT HTTP/2
Host: api.example.com
app.get('/userinfo', (req, res) => {
res.setHeader('Content-Type', 'application/json')
// Access Control in place! ;)
if (getCurrentUser().employeeID != req.query.employeeid) {
var response = {}
response.message = "Access Denied"
res.json(response)
return false
} else ({...})
})

15. 5
Do we have test cases?
Yop!
Check the next slide!
15

16. A checklist to go through
16

17. Thanks!
ANY QUESTIONS?
You can find me at:
@x30r_
linkedin.com/in/bhashit-pandya
17

18. CREDITS
Special thanks to all the people who made and released
these awesome resources for free:
▪ Presentation template by SlidesCarnival
18