Exploiting a simple IDOR vulnerability with Python

Insecure Direct Object Reference (IDOR) vulnerabilities are still in the wild and could lead to, for example, horizontal privilege escalation. A user could modify certain values in a web application and gain access to unauthorised data.

Developing a vulnerable application

Moreover, the vulnerable web application was developed using Python with the Flask library. The application is split into two sections: a login form and a user page. The backend is MySQL which contains a series of usernames, hashed passwords, e-mails, full names, and user creation date. MySQL is connected to the application, which is used by the login form to authenticate the users. After the user logs in, he/she will be redirected to /users/<sql_id>, which is the user’s ID in the database.

The user thomas11 logs in and can view his account information. The URL is http://192.168.0.51:5000/users/1. Thomas has the user ID 1. Even though he has his own session cookie, is it possible to manipulate the URL and gain unauthorised access to another user’s data?

Exploitation

The URL was changed to http://192.168.0.51:5000/users/2, and Thomas now has access to Monica’s data. The ID in the URL is connected to the database, which will query the user’s information based on the user ID. In a worst-case scenario, a regular user could obtain admin privileges by modifying the ID in values such as the URL and session cookies. You can read more about the different injection points here.

Furthermore, since Thomas now has access to every user’s information, how can the data be downloaded efficiently? Going through every single ID manually and copying the data is a redundant task. Luckily, Thomas knows how to use Python.

Thomas wrote a small Python script which automates the task for him. However, Thomas does not know how many users are stored in the database. Therefore, the application checks for a 404 not found status code for every user he queries. If the user number is not found: break.

The application logs on as thomas11 and uses the session cookie to access the user information page. From thereon, the user ID is increased for every web request. Regex is used to extract the specific values from the web page. The values are appropriately formatted before being printed out.

The application works, and Thomas now has the data for every single user. The script can also be modified to insert the values into the attacker’s database if there are large data sets.

Conclusion

IDOR vulnerabilities can, in some cases, be simple to exploit. However, the outcome can be devastating, as users could achieve horizontal privilege escalation or even admin access. An attacker could potentially gain access to unauthorised data.