Post

IDOR with Autorize!

Desktop View

Hello Guys, what’s up, hope you guys all are doing well.

Here is my write-up, I’ll tell you about one of my discoveries and explain how to find IDOR(Insecure direct object references).

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly..

You guys know about IDOR so without wasting time let’s move forward to set up over burp extension(Autorize).

Autorize: Autorize is an extension aimed at helping the penetration tester to detect authorization vulnerabilities, one of the more time-consuming tasks in a web application penetration test.

Desktop View

If there is a message as shown in the screenshot above saying to download Jython, you’ll need to do that first.

Go to https://www.jython.org/download.html and download the Jython standalone jar file.

After download, that file goes Extender -> Options -> under Python environment add that file.Now you will be able to install Autorize Extension. After installing Autorize you will see one new tab add-in burp.

Desktop View

We need to Configure this Extension firstly.

If you do not have an idea about this extension, how this work, and all its uses, refer to this blog:

After Configuration, I created Two accounts user A and user B.

I copied the user A cookie and past it in Autorize under Temporary Header. we need to specify the target range as well so for that add your target in scope and add a filter in Autorize -> Interception Filters -> Scope items only.

Turn on Your Autorize by clicking here.

Desktop View

Now All set, let’s find IDOR…

Turn on your proxy in the browser and visit all possible endpoints with the User B browser.

I am not disclosing my target name or where I found a vulnerability because if I let you know, In which functionality I found this bug then you guys easily guess What could be the name of the target. because that functionality is being itself of target name so Let’s take an example similar to my finding.

There is one functionality to the held lucky draw and we can add, delete, edit and duplicate that lucky draw. so there will be all authorized endpoints for the users. I just used all functionality as a normal user. create one lucky drow, edit that, delete that, and there is one button through which I could add duplicate lucky drow as I previously created. so just normal use I check all endpoints and all functionality.

Now Let’s come to our burp and check Autorize.

Desktop View

You can see Above there is a total of three status.

Enforced!, Is enforced??, and Bypassed.

we have to focus on Bypassed! so wherever you see the bypassed word, You have bypassed the endpoint. In my case, there are many Bypassed status, but those all are not positive results because I visit the site as a normal user, and as I previously said Authentication is not required to access all endpoints and functionality. there could be many endpoints has non authenticated.

So I just check which endpoints had bypassed, My attention came to “https://example.com/lucky draw/id(1234)/duplicate” and I know this endpoint is authenticated endpoint, I was able to add duplicate lucky draw in anyone’s account. So here I was found successful IDOR.

Desktop View

I quickly made a report and POC.

28 January 2022: I reported.

3 February 2022: mark as Duplicated.

Desktop View

No worries it’s Part of bug Hunting.

Kindly feel free to point out any mistakes and do let me know where I can improve in writing and explaining in detail.

That’s all for this article.

Thank you to everyone for reading!

Twitter: https://twitter.com/VivekGhinaiya

Linkdin: https://www.linkedin.com/in/vivek-ghinaiya-b3b560202/

This post is licensed under CC BY 4.0 by the author.

Trending Tags