Insecure Direct Object Reference (IDOR) occur when an application provides direct access to objects based on the user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly. Below is the example site where I’ve found this vulnerability. I’ve specified the rank and severity of this vulnerability which is High.
Vulnerable URL: sso.tirto.id
Vulnerability: Insecure Direct Object Reference
Severity: High
Owasp rank: 4th (OTG-AUTHZ-004)
Below are the steps to reproduce the IDOR vulnerability
- Login Apps TirtoID
- Memilih 1 Berita Dan Simpan/Save
- Masuk Ke Bagian Simpan/Save Berita Kita
- Delete Berita Yang Kita Simpan/Save
- Edit Bagian ( POST /api/ID TARGET/activity HTTP/1.1
id=&type=deletesave&value= ) *ID TARGET BISA DI BRUTE FORCE
Untuk Melihat Berita / ID / Email Seseorang
- Host : sso.tirto.id
( GET /api/ID TARGET/activity/save?limit=20 HTTP/1.1 ) *ID TARGET BISA DI BRUTE FORCE
Timeline Report
- Report Bug pada ( 27 Ags 2019 )
- TirtoID : Respon Bug Valid ( 28 Ags 2019 )
- Fix BUG : ( 30 Ags 2019 )*FIX & NO RESPOND *