Recently, I was travelling abroad & had to book a cab to attend a meeting. However, the meeting got rescheduled & I had to cancel the cab. As I had spare time till the meeting so I thought of playing around with the taxi mobile app that I used for booking the cab.
While looking at various features of the app I figured out that the application was providing me direct access to the resources belonging to other users. This vulnerability is called as Insecure Direct Object Reference or IDOR which allows the attackers to bypass authorization and access unauthorized resources such as database entries or files in the system directly. This vulnerability is exploited by modifying the parameter used to directly refer to an internal object in the system.
To have a complete understanding of this vulnerability & how it can be exploited let me walk you through the following demonstration where you can see how we were able to cancel the upcoming trips of arbitrary users without their consent.
1. Book a cab from our account on the mobile app
2. Intercept the traffic using any proxy tool say Burp Proxy
3. When you click on “My Trips” in the app then you can see your current & upcoming bookings. Cancel one of your bookings where the original request going in the proxy looks as follows:
4. The response for successful cancellation that can be seen in the proxy is shown below:
5. Now, copy the above cancel trip request to Repeater Tool available in Burp Proxy & tamper the passenger log id to some arbitrary value of your choice as shown below. It’s better to choose adjacent values as there is a high possibility that trip would exist. Forward this modified request & check the response received.
6. Once the request is forwarded, if any trip exists with the passenger log id mentioned in the request then you will see a response saying that the trip is canceled as shown below and the concerned user will get an SMS confirmation for the same.
The potential impact of above vulnerability varies depending on what kind of data the attacker can get hold of and what business value does that exposed data hold. It may lead to huge loss to the business where firstly, considering the above scenario where any advanced or current bookings can be canceled, the business will be affected monetarily & secondly, the business will lose its customers base as such situations will lead to customer dissatisfaction.
This kind of vulnerability can let you access user’s bank statements or user’s PII or modify user’s data etc. As mentioned above the impact varies from business to business but it can compromise entire system data & hence leads to disclosure of highly sensitive information along with a financial & reputational loss to the business.
It’s a very common security weakness seen in applications these days. However, a little effort by application developers & proactive nature towards security can improve the application & prevent the business from such exploits. To avoid this vulnerability the application should implement proper access control where the user needs to be authorized for the requested information before the server provides it.
Another solution to prevent an attacker from exploiting this issue is by using an indirect reference to internal objects of the system. For an instance, the crucial element in the exploit demonstrated above is the internal object identifier – passenger log ID. This passenger ID is easily predictable by anyone. If a random string instead of an incrementing integer is used to refer internal objects then it will be difficult for anyone to exploit. However, it’s not a full proof solution & should not be implemented as the only prevention for such attacks.