What is IDOR Vulnerability ?
Have you ever heard of IDOR, or Insecure Direct Object Reference? It’s a security vulnerability that can allow bad actors to access data they’re not supposed to see. How does it happen? When object IDs, which are used to identify data, aren’t properly secured. That means attackers can manipulate these IDs to get access to sensitive information like personal and financial data
The Story
A pentestee from INDONESIA, Caesar Evan S., recently uncovered an Insecure Direct Object Reference (IDOR) vulnerability on the Google Data Studio website (https://datastudio.google.com/). The researcher reported their findings to Google. And after careful consideration, the company’s Vulnerability Reward Program (VRP) panel decided to issue a reward of $3133.70 for the report.
The Google Data Studio tool is used to display data in an easily readable format, allowing users to quickly and accurately determine website development plans or other business strategies.
ased on the write-up, after experimenting with several requests using BurpSuite, Caesar found an endpoint with an IDOR vulnerability at “/persistTempReport.”
To reproduce the vulnerability, the first step Caesar took was to go to the “Template” page and select one of the available templates. The template is editable, but before clicking “Edit & Share,” he enabled the intercept on their BurpSuite and then clicked “Add to Report.” The researcher then received a request from “/persistTempReport,” which revealed the IDOR vulnerability.
He realized the vulnerability was found in the “sourceReportId” parameter, which contained the template ID and could be changed. The researcher changed the contents of the “sourceReportId” parameter with a different account ID, and the change was successful.
After further investigation, the researcher discovered another request, “/getReport,” which had the same response as “/persistentTempReport.” However, when the researcher changed the contents of their template ID from “/getReport,” the response was “PERMISSION_DENIED.”
Google was notified of the vulnerability on September 16, 2022, and the company fixed the issue by October 19, 2022.
How to Prevent IDOR Vulnerability?
To prevent IDOR vulnerabilities, you can take the following steps:
- Implement proper access controls: It’s essential to ensure that your application performs proper validation and authorization checks before accessing or performing any actions on an object. Using the principle of least privilege can help limit access to sensitive data or functionality.
- Use indirect references: Instead of using direct object references, use indirect references that are more difficult to guess or manipulate. For instance, you can use a random or hashed value that is not easily guessable as the object identifier, instead of a database record ID.
- Implement role-based access control (RBAC): Using RBAC can help control access to different resources based on a user’s role or privilege level, thereby ensuring that users can only access authorized resources.
- Perform input validation: You should validate all user input and ensure that it meets the expected format and data type. Doing so can prevent attackers from injecting malicious data into the application and manipulating the object identifier.
- Perform thorough testing: Regularly perform security testing, such as penetration testing and vulnerability scanning, to identify any potential IDOR vulnerabilities in your application. Be sure to fix any vulnerabilities that are found.
By following these steps, you can help prevent IDOR vulnerabilities and keep your application secure. It’s important to remember that security is an ongoing process, and you should regularly review and update your security measures to stay ahead of evolving threats.
Link to read full write up: here
Save the PDF here
