11 - Chaining IDOR Vulns

- Usually, a `GET` request to the API endpoint should return the details of the requested user, so we may try calling it to see if we can retrieve our user's details - We also notice that after the page loads, it fetches the user details with a `GET` request to the same API endpoint ![[images/Pasted image 20260112192123.png]] - Here, the only form of authorization in our HTTP requests is the `role=employee` cookie, as the HTTP request does not contain any other form of user-specific authorization such as a JWT token # Info Disclosure - Let's try changing the 1 to 2 in the URI![[images/Pasted image 20260112192202.png]] - This returns details for `uid=2` as a JSON payload ```json { "uid": "2", "uuid": "4a9bd19b3b8676199592a346051f950c", "role": "employee", "full_name": "Iona Franklyn", "email": "[email protected]", "about": "It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it." } ``` # Modifying Other Users' Details - Now that we have the uuid for `uid=2`, we can try changing this user's details by sending a `PUT` request to `/profile/api.php/profile/2` with the above details along with any modifications ![[images/Pasted image 20260112192344.png]] - We did not get an errors or access control messages so let's try to retrieve the details for `uid=2` to see if the modifications persist with a GET request ![[images/Pasted image 20260112192448.png]] # Chaining Two IDOR Vulns - Since we identified an IDOR Information Disclosure vuln, we may also enumerate all users and look for other `roles`, ideally an admin role - Let's write a script to enumerate all users, similarly to what we did in previous sections - Once we enumerate all users, we will find an admin user with the following details ```json { "uid": "X", "uuid": "a36fa9e66e85f2dd6f5e13cad45248ae", "role": "web_admin", "full_name": "administrator", "email": "[email protected]", "about": "HTB{FLAG}" } ``` - We can modify the admin's details and perform one of the above attacks to take over the account - Or, since we know the admin role name as `web_admin`, we can set it to our user so we can create new users or delete current users - To do so, we will intercept the request when we click on the `Update profile` button and change our role to `web_admin` ![[images/Pasted image 20260112192738.png]] - We did not get any error messages so let's try to retrieve the details for `uid=1` to see if the modifications persist with a GET request - We get the below JSON paylaod in response ```json { "uid": "1", "uuid": "40f5888b67c748df7efba008e7c2f9d2", "role": "web_admin", "full_name": "Amy Lindon", "email": "[email protected]", "about": "A Release is like a boat. 80% of the holes plugged is not good enough." } ``` - We can refresh the page to update our cookie, or manually set it as `Cookie: role=web_admin`, and then intercept the `Update` request to create a new user and see if we'd be allowed to do so ![[images/Pasted image 20260112192928.png]] - We did not get any errors, so let's perform a GET request to confirm successful creation ![[images/Pasted image 20260112192956.png]] - By combining the information we gained from the `IDOR Information Disclosure vulnerability` with an `IDOR Insecure Function Calls` attack on an API endpoint, we could modify other users' details and create/delete users while bypassing various access control checks in place # Exercise - `ping` test - `nmap` scan - visit `/profile/index.php` ![[images/Pasted image 20260112193328.png]] - source code ![[images/Pasted image 20260112193346.png]] - visit `/profile/api.php/profile/1` ![[images/Pasted image 20260112194026.png]] ## Identify uid for admin - create script loop over first 10 users ```bash for uid in {1..10}; do curl -s "http://94.237.122.188:38822/profile/api.php/profile/$uid" done ``` - output is a little dirty but usable - rickrolled ![[images/Pasted image 20260112194445.png]] - `/profile/api.php/profile/10` shows admin ![[images/Pasted image 20260112194207.png]] ## Use PUT request to modify email for admin - First intercept and update request ![[images/Pasted image 20260112194715.png]] ![[images/Pasted image 20260112201110.png]] - Update with below JSON values and change URI from 1 to 10 ```json { "uid": "10", "uuid": "bfd92386a1b48076792e68b596846499", "role": "staff_admin", "full_name": "admin", "email": "[email protected]", "about": "Never gonna give you up, Never gonna let you down" } ``` ![[images/Pasted image 20260112201152.png]] ## Confirm and Find Flag - Confirm modifications with GET request ![[images/Pasted image 20260112201946.png]] - Visit `/profile/index.php` ![[images/Pasted image 20260112201517.png]] ![[images/Pasted image 20260112201826.png]]