# Intro - IDOR vulns may also exist in function calls and APIs, and exploiting them would allow us to perform various actions as other users - While `IDOR Information Disclosure Vulnerabilities` allow us to read various types of resources, `IDOR Insecure Function Calls` enable us to call APIs or execute functions as another user - Such functions and APIs can be used to change another user's private information, reset another user's password, or even buy items using another user's payment information # Identifying Insecure APIs - Test  the `Edit Profile` page for IDOR vulns ![[images/Pasted image 20260111200015.png]] - When we click on `Edit Profile`, we are taken to a page to edit information of our user profile, namely `Full Name`, `Email`, and `About Me`, which is a common feature in many web apps ![[images/Pasted image 20260111200045.png]] - We can change any of the details in our profile and click `Update profile`, and we'll see that they get updated and persist through refreshes, which means they get updated in a database somewhere - We can intercept the `Update` request in `burp` ![[images/Pasted image 20260111200123.png]] - Here, we see that the page is sending a `PUT` request to the `/profile/api.php/profile/1` API endpoint - For reference,`PUT` requests are usually used in APIs to update item details, while `POST` is used to create new items, `DELETE` to delete items, and `GET` to retrieve item details - Also note that multiple JSON parameters are being send, which are set off my `{xxx}` - Multiple hidden parameter are set here, including `uid`, `uuid`, and most interestingly `role`, which is set to `employee` - The web application also appears to be setting the user access privileges (e.g. `role`) on the client-side, in the form of our `Cookie: role=employee` cookie ```json { "uid": 1, "uuid": "40f5888b67c748df7efba008e7c2f9d2", "role": "employee", "full_name": "Amy Lindon", "email": "[email protected]", "about": "A Release is like a boat. 80% of the holes plugged is not good enough." } ``` # Exploiting Insecure APIs - Based on the above discover, we now know that we can change the `full_name`, `email`, and `about` parameters, as these are the ones under our control in the HTML form in the `/profile` web page - So, let's try to manipulate the other parameters, including 1. Change our `uid` to another user's `uid`, such that we can take over their accounts 2. Change another user's details, which may allow us to perform several web attacks 3. Create new users with arbitrary details, or delete existing users 4. Change our role to a more privileged role (e.g. `admin`) to be able to perform more actions - Start by changing our `uid` to another user's `uid` (e.g. `"uid": 2`) - However, any number we set other than our own `uid` gets us a response of `uid mismatch` as shown below ![[images/Pasted image 20260111200703.png]] - Try changing another user's details, by changing the API endpoint to `/profile/api.php/profile/2`, and change `"uid": 2` to avoid the previous `uid mismatch` - This time, we get an error message saying `uuid mismatch` as shown below ![[images/Pasted image 20260111200816.png]] - Next, try to change our `role` to `admin`/`administrator` to gain higher privileges - We get `Invalid role` in the HTTP response, and our `role` does not update as shown below ![[images/Pasted image 20260111200906.png]] - So far, we have only been testing the `IDOR Insecure Function Calls` - However, we have not tested the API's `GET` request for `IDOR Information Disclosure Vulnerabilities` - If there was no robust access control system in place, we might be able to read other users' details, which may help us with the previous attacks we attempted # Exercise - `ping` test ![[images/Pasted image 20260111201808.png]] - `nmap` scan - visit `/profile/index.php` ![[images/Pasted image 20260111201920.png]] - source code ![[images/Pasted image 20260111201928.png]] - Intercept update ![[images/Pasted image 20260111202005.png]] - Try to change `uid` value to 5 ![[images/Pasted image 20260111202616.png]] - View follow-up GET request ![[images/Pasted image 20260111203041.png]] - Send to `repeater` and replace 1 with 5 ![[images/Pasted image 20260111203110.png]]