IDOR / BOLA
This can lead to unauthorized access to sensitive data or actions, as attackers can exploit insufficient access controls to view or modify other users' data.
Implement proper access controls and authorization checks on the server side, validate and restrict access to resources based on user roles, and avoid exposing direct references to sensitive objects.
IDORs can be categorized as:
Static File IDORs: When the application uses easily guessable IDs in URLs to access files or data.
# referencing a data file's object
http://idor-sandbox/docs/?f=1.txt
# routing example
/users/:userIdent/documents/:pdfFile
/users/18293017/documents/file-15Database Object Referencing IDORs (ID-Based): When an endpoint insecurely references database objects by their IDs, allowing unauthorized access.
# Numeric value
http://idor-sandbox:80/customerPage/?custId=1
# Unique Identifier (UID)
http://idor-sandbox:80/user/?uid=16327
# Universal Unique Identifier (UUID)
http://idor-sandbox:80/userProfile/a8e62d80-42cc-4ac6-bf53-d28a0ff61a82 API Key Access
The example below is based on PostSwigger's User ID controlled by request parameter lab.
When we log into the application with the user wiener, we can directly see his API key (Figure 1).
wiener's API key.It seems that the session cookie is not tied to a specific user. As a result, we can access carlos's API key by forwarding the latter request in the Repeater and changing the id parameter (Figure 2).
Logs Access
The example below is based on PostSwigger's Insecure direct object references lab.
This application has a Live Chat functionality which also provides the ability to view a chat's transcript. The latter feature reveals the directory where the transcript is stored (Figure 3).
Similar to the previous example, the session cookie is not tied to a specific user and their transcripts. Thus, we can brute-force the /download-transcript directory and access them all (Figure 4).
Last updated
Was this helpful?