mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 23:02:46 +00:00
Insecure direct object references - IDOR
This commit is contained in:
parent
182db99e13
commit
7096b813ec
3 changed files with 87 additions and 28 deletions
48
Insecure direct object references/README.md
Normal file
48
Insecure direct object references/README.md
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
# Insecure Direct Object References
|
||||||
|
|
||||||
|
> Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. - OWASP
|
||||||
|
|
||||||
|
Tools :
|
||||||
|
|
||||||
|
- Burp Suite plugin Authz
|
||||||
|
- Burp Suite plugin AuthMatrix
|
||||||
|
- Burp Suite plugin Authorize
|
||||||
|
|
||||||
|
## Exploit
|
||||||
|
|
||||||
|
![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK)
|
||||||
|
|
||||||
|
The value of a parameter is used directly to retrieve a database record.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://foo.bar/somepage?invoice=12345
|
||||||
|
```
|
||||||
|
|
||||||
|
The value of a parameter is used directly to perform an operation in the system
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://foo.bar/changepassword?user=someuser
|
||||||
|
```
|
||||||
|
|
||||||
|
The value of a parameter is used directly to retrieve a file system resource
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://foo.bar/showImage?img=img00011
|
||||||
|
```
|
||||||
|
|
||||||
|
The value of a parameter is used directly to access application functionality
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
http://foo.bar/accessPage?menuitem=12
|
||||||
|
```
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
* [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
|
||||||
|
* [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
|
||||||
|
|
||||||
|
## Thanks to
|
||||||
|
|
||||||
|
* [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
|
||||||
|
* [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
|
||||||
|
* [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
|
BIN
Insecure direct object references/idor.png
Normal file
BIN
Insecure direct object references/idor.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 175 KiB |
|
@ -9,20 +9,23 @@ Tools:
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
* [Exploit with localhost](#summary)
|
* [Exploit with localhost](#exploit-with-localhost)
|
||||||
* [Bypassing filters](#summary)
|
* [Bypassing filters](#bypassing-filters)
|
||||||
* [SSRF via URL Scheme](#summary)
|
* [SSRF via URL Scheme](#ssrf-via-url-scheme)
|
||||||
* [SSRF to XSS](#summary)
|
* [SSRF to XSS](#ssrf-to-xss-by-d0rkerdevil--alyssaoherrera)
|
||||||
* [SSRF URL for Cloud Instances](#summary)
|
* [SSRF URL for Cloud Instances](#ssrf-url-for-cloud-instances)
|
||||||
* [SSRF URL for AWS Bucket](#summary)
|
* [SSRF URL for AWS Bucket](#ssrf-url-for-aws-bucket)
|
||||||
* [SSRF URL for Google Cloud](#summary)
|
* [SSRF URL for Google Cloud](#ssrf-url-for-google-cloud)
|
||||||
* [SSRF URL for Digital Ocean](#summary)
|
* [SSRF URL for Digital Ocean](#ssrf-url-for-digital-ocean)
|
||||||
* [SSRF URL for Packetcloud](#summary)
|
* [SSRF URL for Packetcloud](#ssrf-url-for-packetcloud)
|
||||||
* [SSRF URL for Azure](#summary)
|
* [SSRF URL for Azure](#ssrf-url-for-azure)
|
||||||
* [SSRF URL for OpenStack/RackSpace](#summary)
|
* [SSRF URL for OpenStack/RackSpace](#ssrf-url-for-openstackrackspace)
|
||||||
* [SSRF URL for HP Helion](#summary)
|
* [SSRF URL for HP Helion](#ssrf-url-for-hp-helion)
|
||||||
* [SSRF URL for Oracle Cloud](#summary)
|
* [SSRF URL for Oracle Cloud](#ssrf-url-for-oracle-cloud)
|
||||||
* [SSRF URL for Alibaba](#summary)
|
* [SSRF URL for Kubernetes ETCD](#ssrf-url-for-kubernetes-etcd)
|
||||||
|
* [SSRF URL for Alibaba](#ssrf-url-for-alibaba)
|
||||||
|
* [SSRF URL for Docker](#ssrf-url-for-docker)
|
||||||
|
* [SSRF URL for Rancher](#ssrf-url-for-rancher)
|
||||||
|
|
||||||
## Exploit with localhost
|
## Exploit with localhost
|
||||||
|
|
||||||
|
@ -451,19 +454,27 @@ curl http://rancher-metadata/<version>/<path>
|
||||||
|
|
||||||
More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/
|
More info: https://rancher.com/docs/rancher/v1.6/en/rancher-services/metadata-service/
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
- [SSRF and local file read in video to gif converter](https://hackerone.com/reports/115857)
|
||||||
|
- [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
|
||||||
|
- [SSRF in proxy.duckduckgo.com](https://hackerone.com/reports/358119)
|
||||||
|
- [Blind SSRF on errors.hackerone.net](https://hackerone.com/reports/374737)
|
||||||
|
- [SSRF on *shopifycloud.com](https://hackerone.com/reports/382612)
|
||||||
|
|
||||||
## Thanks to
|
## Thanks to
|
||||||
|
|
||||||
* [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
- [Hackerone - How To: Server-Side Request Forgery (SSRF)](https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF)
|
||||||
* [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
- [Awesome URL abuse for SSRF by @orange_8361 #BHUSA](https://twitter.com/albinowax/status/890725759861403648)
|
||||||
* [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
- [How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! Orange Tsai](http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html)
|
||||||
* [#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk)
|
- [#HITBGSEC 2017 SG Conf D1 - A New Era Of SSRF - Exploiting Url Parsers - Orange Tsai](https://www.youtube.com/watch?v=D1S-G8rJrEk)
|
||||||
* [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
|
- [SSRF Tips - xl7dev](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
|
||||||
* [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
|
- [SSRF in https://imgur.com/vidgif/url](https://hackerone.com/reports/115748)
|
||||||
* [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/)
|
- [Les Server Side Request Forgery : Comment contourner un pare-feu - @Geluchat](https://www.dailysecurity.fr/server-side-request-forgery/)
|
||||||
* [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
- [AppSecEU15 Server side browsing considered harmful - @Agarri](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
|
||||||
* [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
|
- [Enclosed alphanumerics - @EdOverflow](https://twitter.com/EdOverflow)
|
||||||
* [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
|
- [Hacking the Hackers: Leveraging an SSRF in HackerTarget - @sxcurity](http://www.sxcurity.pro/2017/12/17/hackertarget/)
|
||||||
* [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
|
- [PHP SSRF @secjuice](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
|
||||||
* [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
- [How I convert SSRF to xss in a ssrf vulnerable Jira](https://medium.com/@D0rkerDevil/how-i-convert-ssrf-to-xss-in-a-ssrf-vulnerable-jira-e9f37ad5b158)
|
||||||
* [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
|
- [Piercing the Veil: Server Side Request Forgery to NIPRNet access](https://medium.com/bugbountywriteup/piercing-the-veil-server-side-request-forgery-to-niprnet-access-c358fd5e249a)
|
||||||
* [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
|
- [Hacker101 SSRF](https://www.youtube.com/watch?v=66ni2BTIjS8)
|
||||||
|
|
Loading…
Reference in a new issue