Daily Archives: December 29, 2021

News

Happy 12th Birthday, KrebsOnSecurity.com!

Read Time:2 Minute, 16 Second

KrebsOnSecurity.com celebrates its 12th anniversary today! Maybe “celebrate” is too indelicate a word for a year wracked by the global pandemics of COVID-19 and ransomware. Especially since stories about both have helped to grow the audience here tremendously in 2021. But this site’s birthday also is a welcome opportunity to thank you all for your continued readership and support, which helps keep the content here free to everyone.

More than seven million unique visitors came to KrebsOnSecurity.com in 2021, generating some 12 million+ pageviews and leaving almost 8,000 comments. We also now have nearly 50,000 subscribers to our email newsletter, which is still just a text-based (non-HTML) email that goes out each time a new story is published here (~2-3 times a week).

Back when this site first began 12 years ago, I never imagined it would attract such a level of engagement. Before launching KrebsOnSecurity, I was a tech reporter for washingtonpost.com. For many years, The Post’s website was physically, financially and editorially separate from what the dot-com employees affectionately called “The Dead Tree Edition.” When the two newsrooms finally merged in 2009, my position was eliminated.

Happily, the blog I authored for four years at washingtonpost.com — Security Fix — had attracted a sizable readership, and it seemed clear that the worldwide appetite for in-depth news about computer security and cybercrime would become practically insatiable in the coming years.

Happier still, The Post offered a severance package equal to six months of my salary. Had they not thrown that lifeline, I doubt I’d have had the guts to go it alone. But at the time, my wife basically said I had six months to make this “blog thing” work, or else find a “real job.”

God bless her eternal patience with my adopted occupation, because KrebsOnSecurity has helped me avoid finding a real job for a dozen years now. And hopefully they let me keep doing this, because at this point I’m certainly unqualified to do much else.

I’d be remiss if I didn’t take this opportunity to remind Dear Readers that advertisers do help keep the content free here to everyone. For security and privacy reasons, KrebsOnSecurity does not host any third-party content on this site — and this includes the ad creatives, which are simply images or GIFs vetted by Yours Truly and served directly from krebsonsecurity.com.

That’s a long-winded way of asking: If you regularly visit KrebsOnSecurity.com with an ad blocker, please consider adding an exception for this site.

Thanks again, Dear Readers. Please stay safe, healthy and alert in 2022. See you on the other side!

Read More

News

Manual and semi-automated testing for IDORs using Burp Suite

Read Time:4 Minute, 2 Second

This blog was written by an independent guest blogger.

This article explores how you can locate Insecure direct object references (IDORs) using Burp Suite. Primarily, there are two ways to test the IDOR flaw, manual and semi-automated. For automation, this article focuses on the Autorize Plugin in Burp Suite.

What are Insecure Direct Object References (IDOR)

Silent Breach discovered an IDOR vulnerability on the US Department of Defense website in November 2020 and discreetly notified it to the DOD’s Vulnerability Disclosure Program. The flaw was solved by including a user session method into the account setup that required initially logging in to the website.

That was one of the IDORs incidents, but what is an Insecure Direct Object Reference?

Insecure Direct Object References (IDOR) occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.” – owasp.org

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter that points to an object directly.

Access control challenges are the source of this vulnerability. The word IDOR became famous once it came into the OWASP’s top ten. However, it’s really just some other form of Broken Access Control.

IDORs can cause privilege escalation either horizontally or vertically. To be considered an IDOR, they must meet the preceding requirements:

The request contains an entity identification, whether as a GET or POST option.
There must be an Access Control flaw allowing the individual access to information, for which they shouldn’t be allowed.

Examples:

GET /receipt.php?id=18
POST /privateInfo.php

{userId:03,name:”bob”}

GET /invoice/test.txt

We have POST and a GET request with an identifier. In most cases, user A can only see receipts or private details that belong to him. An attacker can get an IDOR if he modifies this identifier and receives the same information as user A.

It might appear to be a simplistic explanation of IDORs, but that is essentially how they function. The interesting part is how we could automate scanning for this. We may use either a manual or semi-automated technique.

If you are just getting started in bug hunting, I suggest manual testing initially. It’s common practice to learn and grasp the working knowledge of your tool before putting your hands on it. You genuinely get to go into the depths of your capabilities.

Semi-automated test for IDORs

To automate the testing of IDORs, we need Autorize Plugin in Burp Suite.

You can install the Autorize plugin in the Burp suite from the Extender tab -> BApp Store.

After installing the autorize plugin:

Navigate to your target webpage, log in to User A (test2/test), and capture the traffic.
Copy the request (cookie and header details) and paste it on the Autorize tab.

Turn on Autorize.
Go to the target webpage, login with User B (test3/test), and capture the traffic.
Burp then makes the identical request with the given cookies and color-codes the outcomes for us.

Lastly, explore the target Web App and test every feature that requires admin credentials and is not accessible via a regular user; if you receive a Bypass/Enforced response, you have an IDOR vulnerability.

Testing IDORs manually in Burp Suite

To test the IDOR manually, I am using the Port Swigger lab here. Fire up Burp Suite and access the Portswigger Lab.

It’s good practice to set the target scope in Burp Suite. As in our case, you can add the lab URL as the target scope, or you can add only the domain name.

I usually tick the advanced scope control, as it provides us with regex options if necessary.

After setting the target scope, explore the target webshop. Browsing through the webshop reveals a variety of features. By this time, the site map must have clogged up with all the various requests.

We can see various responses, but the one we’re interested in is the download-transcript.

Navigate the webshop, capture the traffic on the proxy tab and send it to the repeater tab.

When we modify this download transcript number, the server will no longer verify that we have permission to download it.

We must be capable of login into username Carlos and the password we just got. We don’t particularly need to be signed in to get the documents because this is an unauthenticated IDOR.

Conclusion

The two ways we can use to test IDORs are:

Manual testing using Burp Suite.
Semi-automated testing using Autorize Plugin from Burp Suite.

Implementing an access control system is the only genuine approach to address this vulnerability. The server must authenticate the user before it can fulfil the request.

Read More