IDOR / BOLA

Insecure Direct Object Reference (IDOR) or Broken Object Level Authorization (BOLA) is a vulnerability where an attacker can access or manipulate resources they shouldn't be able to, by altering identifiers in requests (e.g., URLs, form fields).

This can lead to unauthorized access to sensitive data or actions, as attackers can exploit insufficient access controls to view or modify other users' data.

Implement proper access controls and authorization checks on the server side, validate and restrict access to resources based on user roles, and avoid exposing direct references to sensitive objects.

IDORs can be categorized as:

1. Static File IDORs: When the application uses easily guessable IDs in URLs to access files or data.

# referencing a data file's object
http://idor-sandbox/docs/?f=1.txt
# routing example
/users/:userIdent/documents/:pdfFile
/users/18293017/documents/file-15

1. Database Object Referencing IDORs (ID-Based): When an endpoint insecurely references database objects by their IDs, allowing unauthorized access.

# Numeric value
http://idor-sandbox:80/customerPage/?custId=1
# Unique Identifier (UID)
http://idor-sandbox:80/user/?uid=16327
# Universal Unique Identifier (UUID)
http://idor-sandbox:80/userProfile/a8e62d80-42cc-4ac6-bf53-d28a0ff61a82 

API Key Access

The example below is based on PostSwigger's User ID controlled by request parameter lab.

When we log into the application with the user wiener, we can directly see his API key (Figure 1).

Figure 1: Obtaining wiener's API key.

It seems that the session cookie is not tied to a specific user. As a result, we can access carlos's API key by forwarding the latter request in the Repeater and changing the id parameter (Figure 2).

Figure 2: Discovering a BOLA vulnerability & obtaining the API key of another user.

Logs Access

The example below is based on PostSwigger's Insecure direct object references lab.

This application has a Live Chat functionality which also provides the ability to view a chat's transcript. The latter feature reveals the directory where the transcript is stored (Figure 3).

Figure 3: Viewing the transcript of our Live Chat reveals where it is stored.

Similar to the previous example, the session cookie is not tied to a specific user and their transcripts. Thus, we can brute-force the /download-transcript directory and access them all (Figure 4).

Figure 4: Brute-forcing other users' transcripts.