Step-by-step guide for uncovering Broken Access Control and Indirect Object Reference vulnerabilities for bug bounty hunters and pentesters.

Introduction

As bug bounty hunters and pentesters, one of the most rewarding vulnerabilities to uncover are Broken Access Control (BAC) and Insecure Direct Object Reference (IDOR). In this article, we’ll discuss what BAC and IDOR vulnerabilities are, basic testing methodology, IDOR with UUID, Blind IDOR, and automating with the Auth Analyzer Burp Extension.

What is a BAC Vulnerability?

Broken access control (BAC) is a type of vulnerability where users can access or perform actions they should not have permission to access due to lack of proper validation or authentication checks.

Example BAC:

1. The admin account page at /admin is not visible on the front end.
2. A regular user account tries to access it directly and it works.
3. This escalates privileges to expose admin account information.

What is an IDOR Vulnerability?

Indirect Object Reference (IDOR) is a type of BAC vulnerability caused by using user-supplied input as a direct reference to an object without proper validation.

Example IDOR:

1. User A can access their account settings through the /account page with parameter id=101.
2. User A can increment the parameter like this id=102, accessing User B’s account information.

Blind IDOR

Blind IDORs are harder to notice, but very rewarding. A blind IDOR is a specific flavor of IDOR that isn’t obvious in the HTTP response, but is leaked in notification emails, SMS text messages, or exported files.

Example Blind IDOR:

1. Change the userID in any request.
2. You get a 200 status code, but no other information.
3. Check for an email notification to see if it leaks any sensitive information, such as first and last name.
4. 💥 Blind IDOR!

IDOR w/ UUID

When looking for IDORs, not only are numeric IDs susceptible, but in some cases Universal Unique Identifiers (UUIDs). A UUID is a cryptographically generated identifier, used in a similar way to IDs, but less vulnerable to enumeration. That said, there is a way to find vulnerabilities.

Example:

1. Log in to User A and notice a UUID in an HTTP request. Note that UUID.
2. Log in to User B and find the same request w/ User B’s UUID.
3. Swap in User A’s UUID from step 1 and see if it works. If this works, you’re almost there.
4. Because UUIDs are usually not easily brute forced, we need one more element to complete the exploit.
5. Find a different HTTP request that responds with a UUID based on other input like an email address.
6. If the UUID from step 5 matches step 1, 💥 IDOR w/ UUID!

Automating with Auth Analyzer

The Auth Analyzer Burp Extension is my personal favorite way to automate the process of finding BAC and IDOR vulnerabilities.

How to use Auth Analyzer:

1. Copy session cookies and authorization headers from different users and paste them into Auth Analyzer.

2. Click the Start Analyzer button.

3. Do things in the browser using the session of your highest privilege user.

4. Look at the Auth Analyzer matrix and see if any requests have the SAME response.

5. Now try it manually in repeater to validate.

6. If User A can do something that only User B should be able to do, 💥 vulnerability.

Analyzing Auth Analyzer Output

There will be a lot of noise, so the hardest part to figure out is which results are real vulnerabilities and which ones to ignore.

Here’s a handy table with the different vulnerability types:

Broken authentication is when a completely unauthenticated user can access something. This is even worse than BAC and IDOR because no user account is needed to exploit it.

Conclusion

Bug bounty hunters and pentesters, there is a whole world of BAC and IDOR out there because they’re so easy to cause accidentally, but most find it difficult to test. With the techniques and tools mentioned here, you can discover vulnerabilities before anyone else.

More Resources