Knocking the IDOR

Are you following FogMarks?

Hello to you all.

Sorry for the no-new-posts-November, FogMarks has been very busy experiencing new fields and worlds. But now – we’re on baby!

Today’s case-study is on an old case (and by old I mean 3 months old), but due to recent developments in an active research of a very known company’s very known product, I would like to present and explain the huge importance of an Anti-IDOR mechanism. Don’t afraid, we’re not biting.

Introduction

Basically, an IDOR (Insecure Direct Object Reference) allows attacker to mess around with an object that does not belong to him. This could be the private credentials of users, like the email address, private object that the attacker should not have access to, like a private event, or public information that should simply, and rationally – not be changed by a 3rd person, like a title of a user (don’t worry – case-study about the Mozilla vulnerability is on its way).

When an attacker is able to mess around with an object that does not belongs to him, the consequences might be devastating. I am not talking just about critical information disclosure that could lead the business to the ground, I am talking about messing around with objects that could lead the attacker to execute code on the server. Don’t be so shocked – it is very much possible.

From IDOR to RCE

I’m not going to disclosed the name of the company or software that this serious vulnerability was found on. I am not even going to say that this is a huge company with a QA and security response team that could fill an entire mall.
But I am going to tell you how an IDOR became an RCE on the server, without violent graphic content of course. For Christ’s sake, children might be reading these lines!

Ideally speaking,
An IDOR is being prevented using an Anti-IDOR Mechanism (AIM). Us at FogMarks have developed one a few years ago, and, know-on-wood, none of our customers ever dealt with an IDOR problem. Don’t worry, we’re not going to offer you to buy it. This mechanism was created only for two large customers who shared the same code base. Create your own mechanism with the info below, jeez!
But seriously, AIM’s main goal is to AIM the usage of a certain object only to the user who created it, or have access to it.

This is being done by holding a database table especially for sensitive objects that could be targeted from the web clients.
When an object is being inserted to the table, the mechanism generates to it a special 32 chars long identifier. This identifier is only being used by the server, and it is calld SUID (Server Used ID). In addition, the mechanism issues a 15 chars long integer identifier for the client side that is called, of course, CUID (Client Used ID). The CUID integer is being made from part of the 32 chars long SUID and part of the object permanent details (like name-if name cannot be changed afterwards) using a special algorithm.

In the users’ permissions table there is also a row of list of nodes that contains the SUID of objects that the user has access to it.

When the user issues a request from the client side (from the JS – a simple HTTP request (POST/GET/OPTIONS/DELETE/PUT…), the CUID is being matched with the SUID – the algorithm tries to generate the SUID from the supplied CUID. If it succeed, it then tries to match the generated SUID the SUIDs list in the users’ permission table. If it match, the requesting user gets one time, limited access to the object. This one time access is being enabled for x minutes and for one static IP, until the next process of matching CUID to SUID.

All this process, of course, is being managed by only one mechanism – The AIM. AIM handles request in a queue form, so when dealing with multiple hundreds of requests – AIM might not be the perfect solution (due to possible object changes by 2 different users).

In conclusion, in order to keep your platform cure from IDORs, requests to access sensitive objects should be managed only by one mechanism. You don’t have to do the exact logic like we did and to compile two different identifiers to the same object, but if you’ll like to prevent IDORs from the first moment (simply spoofing the ID), our proposed solution is for the best.

Here are some more examples of IDORs found by FogMarks in some very popular companies (and were patched, of course):

154 thoughts on “Knocking the IDOR

  1. As testosterone therapy becomes more recognized, and that being
    said and better comprehended as a necessity and not a cosmetic,
    guys are striving to do their best to ensure they’re getting
    the biggest bang for their buck while guaranteeing their health is never put on the line.

  2. Hello, i believe that i noticed you visited my web site thus i
    came to go back tthe desire?.I am attempting to find things to enhance my site!I assume
    its goo enough to use ssome of your concepts!!

  3. Hello! Do you know if they make any plugins to assist with SEO?
    I’m trying too get my blog to rank for some targeted keywords
    but I’m not seeing very good gains. If you kow oof any please share.
    Appreciate it!

  4. Excellent beat ! I would like to apprentice while you
    amend your web site, how can i subscribe for a blog site?

    The account aided me a acceptable deal. I had been tiny bit acquainted of
    this your broadcast provided bright clear idea

  5. ЛЮДИ ЭТО КИДАЛА 0678928863 !!!! 067-892-88-63 067 892 88 63
    АДРЕС ВОДОПРОВОДНАЯ 1
    АДРЕС ВОДОПРОВОДНАЯ 1
    АДРЕС ВОДОПРОВОДНАЯ 1
    АДРЕС ВОДОПРОВОДНАЯ 1
    АДРЕС ВОДОПРОВОДНАЯ 1
    АДРЕС ВОДОПРОВОДНАЯ 1
    АДРЕС ВОДОПРОВОДНАЯ 1
    Кидает людей на предоплату типа для документов!!!
    ЛЮДИ НЕ ВИДИТЕСЬ!!!!
    0678928863
    0678928863
    0678928863
    0678928863
    0678928863
    0678928863
    0678928863
    0678928863
    0678928863
    ОДЕССА!!!!! ОДЕССА!!!

    КИДАЛА ТЫ не сможеш вести свое дело ! Я За тобой слежу!!!

  6. Hello, Neat post. There’s a problem along with your
    web site in internet explorer, might check this? IE still is the marketplace
    chief and a good part of folks will omit your wonderful writing due to
    this problem.

  7. I simply want to mention I am very new to blogs and absolutely liked your web blog. Most likely I’m going to bookmark your blog post . You definitely come with fantastic articles. With thanks for sharing with us your web page.

  8. Definitely considdr that which you stated. Your favourite justification seemed tto be oon the web the easiest factor to keep in mind of.

    I say to you, I certainly get annoyed while other folks think
    about concerns that they just don’t recognize about. You managed to hitt the nail upon the top as smartly as
    defined out the whole thing with no need side-effects , othr people could
    take a signal. Will likely bbe back to get more.
    Thank you

  9. What a great post! I love the ideas you have. We do have a chore chart, but it stays the same for about 6 months. I think I’ll talk to the kids in the morning about doing the chore rotation and laundry flip. Thanks for sharing! Enjoyed the video as well. I’m definitely going to link this post to my blog for others to read your great idean!Jesnifer

  10. 1ea>Merci pour nous permettre de télécharger le jeux, mais il ne fonctionnent absolument pas sous Windows 64bits car après avoir télécharger tt les lien et avoir installe le jeux et avoir mis le crak dans les bon dossier et avoir cliké sur le Launcher.exe je me retrouve pendant 10 ou 15 sec avec une image du jeux et puis Windows me dit que le programme ne fonctionnent j'ai ressayer plusieurs fois toujours le même scenario

  11. Just saw a massive mistake in the Amendments; the following clause should read:“Provided further that the business of issuing or granting BLANKET licenseS in respect of literary, dramatic, musical and artistic works incorporated in a cinematograph films or sound recordings shall be carried out only through a copyright society duly registered under this Act:;A collective management society is not in the business of issuing individual licenses. Who has drafted these revised Amendments?

  12. Good day. Very nice website!! Guy .. Beautiful .. Superb .. I will bookmark your internet site and take the feeds also…I am glad to find so much useful info right here in the post. Thanks for sharing..

  13. Wow, these are great, Lisa Marie! I was so honored to work with you. The couple and the families were so down to earth, the bride was absolutely stunning! You are so talented, I can’t wait to see everything from the wedding!

  14. Joe – I will be most interested to hear your account of what the Windy River drainage is like. I’ve done day hikes up several of the drainages from the Rogue (though never Big W.) and they are arduous, to say the least. If we get a permit again I will likely try to go BW, but my impression is you can’t get far before there is a cliff.Bob H. has disappeared, I was hoping to hear from him how the Oregonian article has resonated in the local community.

  15. alors moi le printemps c'est l'apparition des premières fleurs, les premiers soleil et les sorties entre amies dans les parcs qui sortent de l'hiver… et puis côté fashion le nude et le liberty, les short et les sandalettes… le printemps c'est un peu l'envie de sortir après l'hibernation de l'hiver! e't puis aussi les batifolages! =)merci pour ton blog, j'adore!!

  16. Al pulsar el botón «Stop» de la base de carga, se enviará una señal al Indego 1300 a través del cable perimetral ordenándole detenerse. Robot cortacésped Indego, base de carga, clavos para la base de carga (4), cable perimetral (300 m), estacas de fijación (600), manual de instrucciones, guía de instalación rápida, llave de aislamiento roja, fuente de alimentación, conectores de cables (2), reglas de medición.

  17. Does your blog have a contact page? I’m having a blast with anyfindR a tough time locating it but, I’d like to shoot you an e-mail. I’ve got some suggestions for your blog you might be interested in hearing. Either way, great site and I look forward to seeing it expand over time.|

  18. Howdy! This is kind of off topic but I need some help from an established blog. Is it very hard to set up your own blog? I’m not very techincal but I can figure things out pretty quick. I’m thinking about setting up my own but I’m not sure where to begin. Do you have any ideas or suggestions? With thanks|

  19. Pretty element of content. I simply stumbled upon your web site and in accession capital to assert that I get in fact enjoyed account your blog posts. Any way I will be subscribing for your feeds or even I fulfillment you get entry to persistently quickly.|

  20. Great goods from you, man. I’ve understand your stuff previous to and you’re just too excellent. I really like what you have acquired here, really like what you’re stating and the way in which you say it. You make it enjoyable and you still care for to keep it wise. I cant wait to read far more from you. This is actually a terrific web site.|

  21. Hello, Neat post. There’s a problem together with your website in web explorer, may test this? IE nonetheless is the market leader and a big section of folks will omit your fantastic writing because of this problem.|

  22. Thanks for your article. What I want to comment on is that when evaluating a good on the web electronics store, look for a site with comprehensive information on important factors such as the security statement, security details, payment procedures, and also other terms along with policies. Generally take time to investigate the help and also FAQ sections to get a far better idea of what sort of shop operates, what they are able to do for you, and how you can maximize the features.

Leave a Reply

Your email address will not be published. Required fields are marked *

*