Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to bypass IDOR through parameter pollution. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

During a penetration test, I stumbled upon an interesting IDOR (unsafe direct object reference) vulnerability. By using parameter contamination techniques (using a neglected test case), an attacker will be able to successfully implement IDOR bypass on the target site.

At the time, I tried to look for IDOR vulnerabilities in the REST API where the target application was deployed, but unfortunately, none of the nodes in the target site had traditional IDOR vulnerabilities. However, after my efforts, I have found that by providing the same parameter name several times and using different parameter values, we can successfully achieve IDOR bypass on the target application.

Next, I'll show you how to use parameter pollution techniques to achieve IDOR bypass.

Suppose the UserID of our account is 123. in order to test IDOR, we can change the value of UserID from 123 to the UserID-456 of another user's account. If the target application does not have a traditional IDOR vulnerability, then we will receive a status prompt of "401Unauthenticated".

At this point, in order to achieve IDOR bypass, we need to use the parameter pollution technique, that is, we need to pass two UserID parameters, one of which contains the UserID of the target account, and the other needs to contain the UserID of your account.

The following figure shows the sample request we sent:

I encountered a similar scenario in the process of penetration testing. My test target was a REST API node, and the application node showed the following behavior:

1. Detect the first UserID parameter

2. The user sending the request needs to include their UserID in the GET request

In such a scenario, we only need to add two UserID parameters to the original request to achieve IDOR bypass. The first UserID is the UserID of the target user's account, and the other is the UserID of the attacker's account, so that we can trick the target application into thinking that what we are sending is a real legitimate request.

The profile of my account will show my full name and other relevant information, but this information will not be displayed to other users.

The malicious request we constructed needs to include the UserID of my account, and it is important to note that I have done what most penetration testers do here, that is, to change the UserID in the request to the UserID of another user account.

But unfortunately, nothing happened. And I also received a 401 unauthorized error, which is tragic!

The following figure shows the request information that cannot be bypassed by traditional IDOR:

Considering the implementation of parameter contamination technology, I tried to add my own UserID parameters and the target user's UserID to the test sample (request) to try to access the target user's profile.

You must have guessed that I succeeded this time!

The following figure shows the IDOR bypass request we built using parameter pollution technology:

Yes, through the malicious request constructed by combining parameter pollution technology, I managed to get the full name of the target user and a lot of sensitive information that will not be made public. Not only that, but because almost all the parameters of the target application are unable to resist this attack, this security problem will bring a "devastating" blow to the application.

On how to bypass IDOR through parameter pollution to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.