Broken Access Control


Also known as IDOR - Insecure Direct Object References
A Security Flaw you can learn without Programming Background


Introduction


You will notice that in this module, I don't make a "Requirement" section, as the title said everything - this is a Security Vulnerability which is really easy to find out, to learn and exploit WITHOUT any Coding / Programming Background.

Actually, in the real world, when I was working in CyberJustu and scanning for the Intern CV, I see so many CV with lots of bugs found, I have thought "Wow they're so good, I will pass them in".
But when I looked deeper into their bugs, I found that most of them were IDOR, and when I ask them about Coding, they're not so good for this.

If you have learned this vulnerability before, why not going to solve my challenges here?

So.. What is IDOR?


Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

You may feel ridiculous when reading the definition, right?
Don't worry, because you are surfing my website, I will simply explain it to you 😁😁😁😁😁

Let's make an example


There are many examples of access control vulnerabilities where user-controlled parameter values are used to access resources or functions directly.

Consider a website called Fakebook that uses the following URL to access the customer account page, by retrieving information from the back-end database:

https://fakebook.com/customer_account?customer_number=14306
As you can easily see, the number 14306 is the unique user's account number, a user can use this number to access their account information page.
For each users, the account number would be different.
Let's deep into this example:
Because the customer_number is the GET parameter, which means that is is totally controlled by the users. So we can define this is an Untrusted Data

The magic happens


So let's rewrite the URL:

https://fakebook.com/customer_account?customer_number=user_input
I think when you are reading to line, you would probably findout something.
So Yes, you are going on the right way.

If the attacker gotta changes the value of the customer_number GET param, they could then access and read other's account information.

https://fakebook.com/customer_account?customer_number=2000
At this time, the attacker can read the information of the user with account number 2000.
Let's consider that there are 10.000 users on the system. When changing the value, the attacker can read all the information of the other 9999 users.

Moreover, consider that the Admin Account Number would be 1111, the attacker can using a hacking technique called "Brute-Force" to scan through all the account, and they would definitely find out and read all sensitive information of the Admin.

From now on, the attacker can use these information to do evil things, which can also allow the attacker to deeper exploit the web server.



Okay that's enough for the theory, let's experience the hacking techniques

CTFd Platform