- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Mechanisms
Despite its long and intimidating name, IDOR is easy to understand; it’s essentially a missing access control. IDORs happen when users can access resources that do not belong to them by directly referencing the object ID, object number, or filename.
尽管 IDOR 这个名称很长且令人畏惧,但其实很容易理解;它基本上是一种缺少访问控制的漏洞。当用户可以通过直接引用对象 ID,对象编号或文件名来访问不属于他们的资源时,就会出现 IDOR 漏洞。
For example, let’s say that example.com is a social media site that allows you to chat with others. When you sign up, you notice that your user ID on the site is 1234 . This website allows you to view all your messages with your friends by clicking the View Your Messages button located on the home page. When you click that button, you get redirected to this location, which displays all your direct messages: https://example.com/messages?user_id=1234.
例如,假设 example.com 是一个可以与他人聊天的社交媒体网站。当您注册时,您会注意到您在该网站上的用户 ID 是 1234。这个网站允许您通过单击主页上的查看消息按钮查看与朋友的所有消息。当您单击该按钮时,会被重定向到此位置,该位置显示所有您的直接消息:https://example.com/messages?user_id=1234。
Now, what if you change the URL in the URL bar to https://example.com/messages?user_id=1233 ?
现在,如果您在 URL 栏中更改 URL 为 https://example.com/messages?user_id = 1233?
You notice that you can now see all the private messages between another user, user 1233 , and their friends. At this point, you’ve found an IDOR vulnerability. The application does not restrict access to messages based on the user’s identity. Instead, it allows users to request any messages that they wish. The application naively trusts user input, and it directly loads resources based on the user-provided user_id value, like this piece of example code:
你注意到你现在可以看到另一个用户 1233 与他们的朋友之间所有的私人信息。此时,你发现了一项 IDOR 漏洞。应用程序不会根据用户的身份限制对消息的访问。相反,它允许用户请求他们希望查看的任何消息。应用程序天真地相信用户输入,并根据用户提供的 user_id 值直接加载资源,例如以下示例代码:
messages = load_messages(request.user_id)
display_messages(messages)IDORs are not just limited to reading other users’ information, either. You can also use them to edit data on another user’s behalf. For example, let’s say that users can submit a POST request to change their password. The POST request must contain that user’s ID and new password, and they must direct the request to the /change_password endpoint:
IDOR 不仅仅限于阅读其他用户的信息。您还可以使用它们代表另一个用户编辑数据。例如,假设用户可以提交 POST 请求来更改密码。POST 请求必须包含该用户的 ID 和新密码,并且必须将请求直接发送到 /change_password 端点。
POST /change_password
(POST request body)
user_id= 1234 &new_password=12345In this case, if the application doesn’t validate that the submitted user ID corresponds to the currently logged-in user, an attacker might be able to change someone else’s password by sending a user ID that doesn’t belong to them, like this:
在这种情况下,如果应用程序不验证提交的用户 ID 是否对应于当前登录的用户,则攻击者可能会通过发送不属于他们的用户 ID 来更改其他人的密码,例如:
POST /change_password
(POST request body)
user_id= 1233 &new_password=12345Finally, IDORs can affect resources other than database objects. Another type of IDOR happens when applications reference a system file directly. For example, this request allows users to access a file they’ve uploaded: https://example.com/uploads?file=user1234-01.jpeg.
最后,IDOR 可以影响除数据库对象之外的其他资源。另一种类型的 IDOR 发生在应用程序直接引用系统文件时。例如,此请求允许用户访问他们上传的文件:https://example.com/uploads?file=user1234-01.jpeg。
Since the value of the file parameter is user1234–01.jpeg , we can easily deduce that user-uploaded files follow the naming convention of USER_ID-FILE_NUMBER . FILE_EXTENSION . Therefore, another user’s uploaded files might be named user1233–01.jpeg . If the application doesn’t restrict users’ access to files that belong to others, an attacker could access anyone’s uploaded files by guessing the filenames, like this: https://example.com/uploads?file=user1233-01.jpeg.
由于文件参数的值为 user1234-01.jpeg,我们可以轻松推断出用户上传的文件遵循 USER_ID-FILE_NUMBER.FILE_EXTENSION 的命名约定。因此,另一个用户上传的文件可能被命名为 user1233-01.jpeg。如果应用程序不限制用户访问属于其他人的文件,攻击者可以通过猜测文件名来访问任何人上传的文件,就像这样:https://example.com/uploads?file=user1233-01.jpeg。
A malicious user might even be able to read sensitive system files through this endpoint! For instance, /etc/shadow is a file on Unix systems used to keep track of user passwords. Because it is sensitive, it should not be exposed to regular users. If you can read the file this way, through a URL like https://example.com/uploads?file=/PATH/TO/etc/shadow, then you’ve found a vulnerability! Attackers being able to read files outside the web root folder is also known as a path traversal attack , or directory traversal attack. We will talk more about directory traversal attacks in Chapter 17.
恶意用户甚至可以通过该端点读取敏感系统文件!例如,在 UNIX 系统上,/etc/shadow 是用于跟踪用户密码的文件。因为它很敏感,所以不应暴露给普通用户。如果您可以通过以下网址 https://example.com/uploads?file=/PATH/TO/etc/shadow 读取文件,则已找到漏洞!攻击者能够读取 Web 根目录之外的文件也称为路径遍历攻击或目录遍历攻击。我们将在第 17 章更多地讨论目录遍历攻击。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论