Shulou(Shulou.com)05/31 Report--

This article introduces how to use BurpSuite to achieve automatic discovery and identification of ultra vires vulnerabilities IDOR, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Here's a way to automate the discovery of IDOR vulnerabilities, that is to use Autozie and Autorepeater plug-ins in BurpSuite to detect and identify IDOR vulnerabilities without having to manually change parameters or requests for each request.

IDOR (ultra vires) vulnerability: also known as "unsafe direct object reference". The scenario occurs when a user requests access to internal resources or accesses based on an input object provided by the user, and the server does not perform reasonable permission verification. As a result, current users can access resources or data that do not belong to their account permissions without authorization.

We can install Autorize and Autorepeater in BurpSuite's plug-in library Bapp:

Discovering IDOR vulnerabilities with Autorize

Let's take a look at Autorize first. For any request sent by the client, it executes an equivalent request, except that the Cookies needs to be the session Cookie of another user or add other authorization verification headers. Let's assume two users as follows:

User A-Administrator

User B-ordinary user

Now, we use the administrator (user A) account to access the Web application, and then we add user B's session Cookie to the request configuration of Autorize, after which the request will start as user B. The configuration is as follows:

We make some settings in the scope filter so that we can visually display the response message and avoid receiving a large number of useless results. Next, open Autorize. For Web applications, the ostensible access client is user A, but in fact, user B's session Cookie is used:

As you can see, in this case, there is no difference between the original length (Original length) and the correction length (Modified length), and the status code returned is 200. therefore, from this point of view, there may be an IDOR vulnerability on the Web server. Of course, if the status code received is 403 Forbidden, then there is no IDOR vulnerability, which is not possible.

Discovering IDOR vulnerabilities with Autorepeater

Autorepeater can be said to be a complex version of Autorize, which can achieve more accurate testing for refined parameters, such as uuid, suid, uid and other user parameters. However, it is a bit troublesome to set up, such as the following uuid replacement test, which needs to be set manually:

In some cloud applications, this automated IDOR probe can be used to audit security functions not only for internal tenants, but also for cross-domain tenants. For example, in the settings below, we can choose to add replacement variables to change the body of the request. In addition, we can modify other parameters or requests, such as:

User = Admin

False = True

JSON = XML

On how to use BurpSuite to achieve the automatic discovery and identification of ultra vires vulnerabilities IDOR is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.