Insecure direct object reference (null delhi meet)

Dec 8, 20171 like1,049 views

This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.

Insecure Direct
Object Reference
What, Why, and How?
Presented by,
Abhinav Mishra
Founder, ENCIPHERS
www.enciphers.com

First thing’s first. Why IDOR?
Why talk about a vulnerability like IDOR when there are more
intense attacks like SQL Injection and Remote Code Execution?
● Exploitation is cool
● Very common in Rest API
● Scanners are useless in discovering them
● High impact
● Great bounty

Also...
Can’t see IDOR in OWASP TOP 10 2017?

Another bad example...
Let’s suppose this is the URL which you get when you want to see your
purchases from your favorite e-commerce site:
https://ecommercesite.com/purchase.html?uid=25673
What if the application is vulnerable to IDOR:
https://ecommercesite.com/purchase.html?uid=25675
Will show the purchases for some other User whose user id is “25675”

So, how to find these?
● Capture all the traffic in a proxy
● Find all the requests (GET or POST) which has any object
identifier like id, pid, uid etc
● Create another account and get the identifiers from both
accounts.
● Use one of the account’s sessions/auth header and replay each
request with the object identifier from another account.
● Can you access/edit any of the object from another account?
● Report bug, get paid (if not duplicate)

When it’s not actually critical?
When the identifiers are like 2896519846826592fgweut924293
You can’t actually guess the other identifiers, then how would you
access them?
So? Is it no more a vulnerability?

Actually it still can be..
Try to find a way to get other’s identifier values?
Example: /api/v2/users/
Or /api/v2/files/
These may not give details of the files, but may give the file identifiers
and name etc.

Resources?
Bugcrowd Blog: Link
Owasp Link
How to test (Burp Suite): Link
Need help? Find me @0ctac0der

Server-Side Request Forgery (SSRF) refers to an attack where an attacker is able to send a crafted request from a vulnerable web application to target internal systems normally inaccessible from outside. SSRF typically occurs when an attacker has partial or full control over a request being sent by the web application, such as controlling the URL a request is made to. To prevent SSRF, applications should whitelist allowed domains and protocols for requests, and avoid directly using untrusted user input in functions making external requests on the server's behalf.

OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP

SSRF For Bug BountiesOWASP Nagpur

The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.

IDOR Know-How.pdfBhashit Pandya

Cyber kill chainAnkita Ganguly

The cyber kill chain describes cyber attacks from an attacker's perspective through distinct phases: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, and (7) actions on objectives. Each phase of the kill chain can be mapped to defensive tools and actions to prevent attacks. Understanding the kill chain stages gives analysts insight into what is being attempted and how to respond appropriately. The kill chain was developed by Lockheed Martin as a method to describe intrusions and prevent advanced persistent threats by highly trained adversaries targeting sensitive information.

CSRF Basicsn|u - The Open Security Community

Csrf / Xsrf Basics defines CSRF as a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users. CSRF tricks the victim into loading a page that contains a malicious request, which inherits the victim's identity and privileges to perform an undesired function like changing passwords. CSRF attacks target functions that cause state changes on the server but can also access sensitive data. The synchronizer token pattern is a server-side prevention technique that establishes a token on the server to validate submissions through a corresponding token in a hidden form field, marking tokens as invalid after single use.

Broken access controlsAkansha Kesharwani

The document discusses broken access control vulnerabilities. It defines broken access control as when a user is able to perform actions or access content they should not be authorized for. It provides examples of insecure direct object references and missing functional level access controls, which were merged into the broken access control category in OWASP 2017. The document also outlines potential impacts of broken access control and recommendations for remediation such as validating object references and authorization for all referenced objects.

Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff

The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.

Password Policy and Account Lockout Policiesanilinvns

This document outlines password policies and guidelines for strong passwords. It recommends passwords be at least 8 characters long with a mix of uppercase, lowercase, numbers and symbols. Passwords should be changed regularly, not reused, and default passwords should be changed. Account lockout policies should lock accounts after a few incorrect logins to prevent password guessing. The document also discusses calculating password strength and examples of dictionary and brute force password attacks.

Web application securityKapil Sharma

The document discusses web application security and provides an overview of common vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It summarizes the OWASP Top 10 list of most critical web app security risks, including injection flaws, broken authentication, sensitive data exposure, and more. The document also offers best practices for developing more securely, like using prepared statements, validating and sanitizing input, and implementing authentication and session management properly.

Vulnerabilities in modern web applicationsNiyas Nazar

Secure Code Warrior - CRLF injectionSecure Code Warrior

Waf bypassing TechniquesAvinash Thapa

Cross-Site Scripting (XSS)Daniel Tumser

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. XSS has been one of the top vulnerabilities on the OWASP Top Ten list for many years. While XSS attacks can compromise user sessions and steal sensitive data, developers can prevent XSS through proper input sanitization and output encoding. As web applications continue to grow in use, jobs in web application security and penetration testing are also expected to increase significantly in the coming years.

Sql injection attackRajKumar Rampelli

SQL is a language used to access and manipulate databases. It allows users to execute queries, retrieve, insert, update and delete data from databases. SQL injection occurs when malicious code is injected into an SQL query, which can compromise the security of a database. To prevent SQL injection, developers should validate all user input, escape special characters, limit database permissions, and configure databases to not display error information to users.

Understanding Cross-site Request ForgeryDaniel Miessler

This document provides an overview of cross-site request forgery (CSRF) attacks. It discusses how CSRF works, forcing victims to perform actions on a website without their knowledge. Common defenses like using nonces or CAPTCHAs are described. The document also covers how to validate if an issue is truly a CSRF vulnerability and lists some example attack vectors. Key takeaways emphasize the importance of validating any potential CSRF issue affects state, is sensitive, and has non-unique requests.

API Security FundamentalsJosé Haro Peralta

Slides for my webinar "API Security Fundamentals". They cover 👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities with suggestions on how to avoid them, including the 2019 and the 2023 versions. 👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂 👉 How certain 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧𝐬 expose vulnerabilities and how to prevent them 👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I’ll talk about elements “around the API” that also need to be protected 👉 automating API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠

Server-side template injection- Slides Amit Dubey

This document discusses server-side template injection (SSTI), including an introduction to template engines, examples of commonly used template engines like Twig and Jinja2, how SSTI works by allowing user input to be embedded in templates in an unsafe manner, ways to detect and identify SSTI vulnerabilities, exploiting SSTI to read files or execute code, automated tools like Tplmap that can assist in SSTI exploitation, mitigations like input sanitization, and references and case studies.

OWASP Top 10 API Security RisksIndusfacePvtLtd

XSSHrishikesh Mishra

OWASP Top 10 Web Application VulnerabilitiesSoftware Guru

This document provides an overview of the OWASP Top 10 Risk Rating Methodology. It explains how risks are rated based on four factors: threat agent, attack vector, technical impact, and business impact. Each factor is given a rating of 1-3 (easy to difficult) and these ratings are multiplied together to calculate an overall weighted risk rating. An example of how this methodology would be applied to an SQL injection vulnerability is also provided.

OWASP API Security Top 10 - API World42Crunch

This document outlines the OWASP API Security Top 10 project which identifies the top 10 risks associated with modern application programming interfaces (APIs). It describes each of the top 10 risks, including broken authentication, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring. For each risk, it provides real-world examples of APIs that have been exploited and mitigation strategies are proposed. Additional resources for the project are listed at the end.

security misconfigurationsMegha Sahu

The document discusses security misconfiguration as the sixth most dangerous web application vulnerability according to the OWASP Top 10. It defines security misconfiguration as improper configuration settings that can enable attacks. The document outlines how attackers exploit default passwords and privileges, and provides examples of misconfigured systems. It recommends ways to prevent misconfiguration like changing defaults, deleting unnecessary accounts, and keeping systems updated. The document demonstrates how to detect hidden URLs and directory listings using Burp Suite and concludes that misconfiguration poses a high risk if not properly safeguarded against.

Introduction to path traversal attackPrashant Hegde

Path traversal attacks aim to access files outside a webroot folder by exploiting how web servers handle special directory traversal characters like "..". An attacker can use these characters in a request to climb the directory structure and potentially read sensitive files. They may also try encoding the special characters to bypass security filters. To prevent this, servers should carefully filter user input, ensure only authorized directories are accessible, and keep sensitive files outside public folders.

Pentesting ReST APINutan Kumar Panda

The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.

Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi

Web application security IMd Syed Ahamad

This document summarizes a presentation on web application security. It discusses common web application vulnerabilities like injection flaws, broken authentication, cross-site scripting, and more. It covers the OWASP top 10 list of risks and provides examples to illustrate injection attacks, cross-site scripting bugs, and how vulnerabilities can be prevented through practices like input validation, output encoding, and using vulnerability scanners. The goal is to both prevent vulnerabilities and implement detection mechanisms for web applications.

Directory Traversal & File Inclusion AttacksRaghav Bisht

Directory traversal, also known as path traversal, allows attackers to access files and directories outside of the web server's designated root folder. This can lead to attacks like file inclusion, where malicious code is executed on the server, and source code disclosure, where sensitive application code is revealed. Local file inclusion allows attackers to include files from the local web server, while remote file inclusion includes files from external websites, potentially allowing remote code execution on the vulnerable server.

OpenID and decentralised social networksSimon Willison

OpenID ConnectFarasath Ahamed

This document provides an overview of OpenID Connect, which is a standard protocol for user authentication and authorization. It describes how OpenID Connect provides a secure login mechanism for applications by defining standard APIs for authentication, authorization, single sign-on, and single logout. The document explains the OpenID Connect flow, advantages of using the standard, and security aspects like signed JSON Web Tokens and preventing request tampering. It also discusses solutions built on OpenID Connect and tips for application developers in implementing authentication securely.

More Related Content

What's hot (20)

Password Policy and Account Lockout Policiesanilinvns

Web application securityKapil Sharma

Vulnerabilities in modern web applicationsNiyas Nazar

Secure Code Warrior - CRLF injectionSecure Code Warrior

Waf bypassing TechniquesAvinash Thapa

Cross-Site Scripting (XSS)Daniel Tumser

Sql injection attackRajKumar Rampelli

Understanding Cross-site Request ForgeryDaniel Miessler

API Security FundamentalsJosé Haro Peralta

Server-side template injection- Slides Amit Dubey

OWASP Top 10 API Security RisksIndusfacePvtLtd

XSSHrishikesh Mishra

OWASP Top 10 Web Application VulnerabilitiesSoftware Guru

OWASP API Security Top 10 - API World42Crunch

security misconfigurationsMegha Sahu

Introduction to path traversal attackPrashant Hegde

Pentesting ReST APINutan Kumar Panda

Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi

Web application security IMd Syed Ahamad

Directory Traversal & File Inclusion AttacksRaghav Bisht

Password Policy and Account Lockout Policiesanilinvns

Web application securityKapil Sharma

Vulnerabilities in modern web applicationsNiyas Nazar

Secure Code Warrior - CRLF injectionSecure Code Warrior

Waf bypassing TechniquesAvinash Thapa

Cross-Site Scripting (XSS)Daniel Tumser

Sql injection attackRajKumar Rampelli

Understanding Cross-site Request ForgeryDaniel Miessler

API Security FundamentalsJosé Haro Peralta

Server-side template injection- Slides Amit Dubey

OWASP Top 10 API Security RisksIndusfacePvtLtd

XSSHrishikesh Mishra

OWASP Top 10 Web Application VulnerabilitiesSoftware Guru

OWASP API Security Top 10 - API World42Crunch

security misconfigurationsMegha Sahu

Introduction to path traversal attackPrashant Hegde

Pentesting ReST APINutan Kumar Panda

Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi

Web application security IMd Syed Ahamad

Directory Traversal & File Inclusion AttacksRaghav Bisht

Similar to Insecure direct object reference (null delhi meet) (20)

OpenID and decentralised social networksSimon Willison

OpenID ConnectFarasath Ahamed

OAuth2 & OpenID Connect with Spring SecurityShuto Uwai

Taller "La identidad digital profesional para estudiantes de la ETSII"Oriol Borras Gene

Presentación y resumen de resultados del taller. En la actualidad, todo individuo se encuentra en mayor o menor grado presente en Internet, ya sea de manera activa y consciente o como resultado de la actividad de terceros. Esta huella en la red, que perfila al individuo, es lo que conocemos como identidad digital y será responsabilidad de todo ciudadano una correcta gestión para evitar los posibles peligros asociados y potenciar las posibilidades que encontraremos en la red. A lo largo de este taller se pretende que el estudiante de la ETSII tome consciencia de su identidad digital y aprenda a gestionarla adecuadamente, ofreciendo las pautas necesarias para que las adapte y convierta la gestión de la identidad digital en una práctica habitual en su día a día, potenciando su faceta profesional en la red en forma de marca personal. Se hará hincapié en la red LinkedIn y cómo sacarle el máximo provecho. El curso se desarrolla de manera mixta en una sesión en directo teórica y práctica de 4 horas, pudiendo escoger el estudiante entre dos modalidades: asistir presencialmente o por videoconferencia. En ambos casos la asistencia es obligatoria. Además, cuenta con una segunda parte online de trabajo autónomo del estudiante, tras la sesión inicial en directo. Reconocimiento de créditos (RAC) 0,7 ECTS Objetivos Conocer qué es la identidad digital y cómo se construye Analizar la identidad digital actual del estudiante Revisar las ventajas que supone para el individuo la identidad digital Conocer los peligros que pueden aparecer al estar en la red Aprender a gestionar la identidad digital El taller no tiene como objetivo realizar un currículum, búsqueda de empleo activa o profundizar en el manejo de redes sociales, se presopone un conocimiento previo del estudiante. Requisitos Conocimientos básicos de Internet y sería aconsejable tener perfil en LinkedIn creado, aunque esté vacío. Para los estudiantes en la modalidad online es imprescindible contar con una conexión a internet con la calidad suficiente para soportar una videoconferencia. Fecha de la sesión: 11 de junio de 10 a 14h.

Implementing OpenID for Your Social Networking SiteDavid Keener

There are thousands of social networking sites, each with their own unique sign-on systems. How many user names and passwords do you really want to remember? Wouldn't it be nice if you could have a single sign-on that you could use on all of the sites that you frequent? OpenID is an open-source, decentralized sign-on technology that promises this and more. Find out how to implement OpenID for a web site using Ruby on Rails.

Self-Sovereign Identity: Lightening Talk at RightsCon Kaliya "Identity Woman" Young

Self-Sovereign Identity technology has enormous potential to empower individuals and address privacy challenges globally. It uses shared ledgers (blockchain) to give individuals the power to create and manage their own identifiers, collect verified claims and interact with others on the network on their terms. This lighting talk by one of the pioneers working on this new emerging layer of the internet for 15 years will give a high level picture of how it works covering the core standards and technologies along with outlining some potential use-cases.

CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCloudIDSummit

Dale Olds, Senior Staff Engineer, VMware If identity is the new perimeter, then users must be able to access applications anywhere: on premise, in the cloud or on partner sites. To enable this access we must take identity information into other worlds, and there is no Babel Fish. This session will explain how to enable access to distributed applications without making users feel like Marvin the Paranoid Android. We will cover topics like federated authentication, browser single sign-on and delegated authorization for cloud APIs. Standards in this area are essential, but SAML, OAuth2, SCIM and OpenID can sound like Vogon poetry. We'll touch on the standards, but keep the Vogon poetry to a minimum.

Open IDdiwanshu.joshi

Claim based authentaicationSean Xiong

Claim based authentication provides a solution to common problems with user authentication across multiple websites. It allows an identity provider like Google or Facebook to authenticate a user and issue tokens containing claims like user details. Applications can then request specific claims from an identity provider through a selector. The identity provider signs the token and applications can verify the signature to trust the identity provider. This avoids the need for each application to implement its own authentication and allows users to reuse their login from an identity provider on multiple applications.

Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman

Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Andrew Hughes

Owasp top 10 2013Edouard de Lansalut

The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.

Open IdRobin Hastings

This document discusses OpenID, which is an open standard that allows users to log into multiple websites using a single digital identity. Some key points: - OpenID allows for simplified sign-ins by using an identity provider like AOL, Yahoo, or Google instead of creating multiple usernames and passwords. - Benefits include single sign-on access across sites, easy signup, and decentralization. However, there are also security, privacy, and usability challenges to consider. - The author implements OpenID on their own site using their MyOpenID or OpenID.net account, and encourages others to get an OpenID and try logging into enabled sites.

A A ACristian Vat

OSINT for Proactive Defense - RootConf 2019RedHunt Labs

Fraud detection using Chatter Connect ÀPI and Einstein, Abhishek KolipeyCzechDreamin

Fraud Alert !! Fraud Alert !! Do you think that there is fraud happening in your business processes or unusual activities happening in your company? Learn about anomaly detection using Chatter and Einstein. Use Chatter Connect API for fetching data and generate meaningful insights using the Einstein wave. This technique can be used to detect fraudulent activities in your company and the harassment faced by the workforce. Does your company 1). Use Chatter for communication between Employees and Customers 2). Collaboration & Teamwork Play an Integral Part of your Productivity 3). Want to know what your end users are talking about 4). Know what Kind of issues & problems your Customers/Employees are facing 5). Automate the process based on the Chatter Feeds Solution 1). Use the Chatter Rest API & Connect API for fetching the chatter data 2). Use this data to generate useful insights by Wave Analytics 3). Based on the Insights invoke a process automatically Benefits 1). SF Customers & Business User will understand the vast usage of Chatter and Einstein Wave 2). Developers will learn the usage of Chatter Rest API & Connect API 3). Admins will learn about the setting up of feeds polls and questions for wave analytics

Identity federation & user centric identitywegdam

1) Identity federation allows for authentication, authorization, and personalization across different identity providers and relying parties by establishing trust between the three entities. 2) There are trends toward more user-centric identity solutions on the internet that give users more control and transparency over their personal data. 3) Common standards for identity federation include SAML, OpenID, and InfoCard, with each having varying degrees of simplicity, security, and support for user-centric features. Scaling identity federations requires establishing trust models between identity providers and relying parties.

CIS14: Authentication: Who are You? You are What You EatCloudIDSummit

Mastering Secure Login Mechanisms for React Apps.pdfBrion Mario

OpenID and decentralised social networksSimon Willison

OpenID ConnectFarasath Ahamed

OAuth2 & OpenID Connect with Spring SecurityShuto Uwai

Taller "La identidad digital profesional para estudiantes de la ETSII"Oriol Borras Gene

Implementing OpenID for Your Social Networking SiteDavid Keener

Self-Sovereign Identity: Lightening Talk at RightsCon Kaliya "Identity Woman" Young

CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCloudIDSummit

Open IDdiwanshu.joshi

Claim based authentaicationSean Xiong

Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman

Digital Identity Landscape for Vancouver IAM Meetup 2017 12-19Andrew Hughes

Owasp top 10 2013Edouard de Lansalut

Open IdRobin Hastings

A A ACristian Vat

OSINT for Proactive Defense - RootConf 2019RedHunt Labs

Fraud detection using Chatter Connect ÀPI and Einstein, Abhishek KolipeyCzechDreamin

Identity federation & user centric identitywegdam

CIS14: Authentication: Who are You? You are What You EatCloudIDSummit

Mastering Secure Login Mechanisms for React Apps.pdfBrion Mario

More from Abhinav Mishra (7)

Peerlyst Delhi NCR Chapter MeetAbhinav Mishra

This document summarizes a Peerlyst meetup in Delhi-NCR, India organized by chapter leads Abhinav Mishra and Ankit Giri. The meetup agenda included discussions on understanding and exploiting mobile applications, careers in bug bounties and penetration testing. It was hosted by TO THE NEW and aimed to create a security community in India by sharing knowledge through talks, workshops and networking.

The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra

The document provides an overview of the game of bug bounty hunting, including a brief history of bug bounty programs, the present state of platforms like HackerOne and BugCrowd, tips for getting started, techniques for finding different types of vulnerabilities, examples of famous bounty submissions, and potential drama one may face. It also includes suggestions for resources, tools, blogs, and people to follow to continue learning and developing skills in bug bounty hunting.

Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra

The document discusses an "Android Fight Club" session focused on analyzing and hacking Android applications for security. It provides an overview of static and dynamic analysis techniques, tools like ADB, Drozer, and QARK that can be used, and common Android vulnerabilities like insecure storage, transport issues, and insecure app components that may be found. The document also includes discussion prompts and breaks for questions, as well as tips for setting up an Android lab environment and bypassing protections like SSL pinning.

The art of android hackingAbhinav Mishra

This document discusses Android application security and provides an overview of assessing Android applications for vulnerabilities. It covers Android architecture, application structure, tools for analysis including emulators and Drozer, and demonstrates reversing an APK file. The document also lists examples of vulnerabilities the presenter has found in Android apps with associated bounty amounts, and how to detect each one. It proposes using a virtual machine called Droider for Android application assessments.

Android Security BasicsAbhinav Mishra

How not to make a hacker friendly applicationAbhinav Mishra

Anatomizing online payment systems: hack to shopAbhinav Mishra

The document discusses vulnerabilities in online payment systems that could allow hackers to conduct fraudulent purchases. It describes how hackers could exploit weaknesses like weak encryption, improper input validation, or modified transaction strings to "hack to shop" and buy items without paying. The document advises payment systems to follow security best practices like implementing strong encryption, conducting penetration tests, and remediating any issues found to prevent hackers from stealing goods through these means.

Peerlyst Delhi NCR Chapter MeetAbhinav Mishra

The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra

Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra

The art of android hackingAbhinav Mishra

Android Security BasicsAbhinav Mishra

How not to make a hacker friendly applicationAbhinav Mishra

Anatomizing online payment systems: hack to shopAbhinav Mishra

Recently uploaded (20)

How to Subscribe Newsletter From Odoo 18 WebsiteCeline George

GDGLSPGCOER - Git and GitHub Workshop.pptxazeenhodekar

SPRING FESTIVITIES - UK AND USA -Colégio Santa Teresinha

Anti-Depressants pharmacology 1slide.pptxMayuri Chavan

K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schoolsdogden2

Algebra 1 is often described as a “gateway” class, a pivotal moment that can shape the rest of a student’s K–12 education. Early access is key: successfully completing Algebra 1 in middle school allows students to complete advanced math and science coursework in high school, which research shows lead to higher wages and lower rates of unemployment in adulthood. Learn how The Atlanta Public Schools is using their data to create a more equitable enrollment in middle school Algebra classes.

World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...larencebapu132

One Hot encoding a revolution in Machine learningmomer9505

Understanding P–N Junction Semiconductors: A Beginner’s GuideGS Virdi

Dive into the fundamentals of P–N junctions, the heart of every diode and semiconductor device. In this concise presentation, Dr. G.S. Virdi (Former Chief Scientist, CSIR-CEERI Pilani) covers: What Is a P–N Junction? Learn how P-type and N-type materials join to create a diode. Depletion Region & Biasing: See how forward and reverse bias shape the voltage–current behavior. V–I Characteristics: Understand the curve that defines diode operation. Real-World Uses: Discover common applications in rectifiers, signal clipping, and more. Ideal for electronics students, hobbyists, and engineers seeking a clear, practical introduction to P–N junction semiconductors.

Social Problem-Unemployment .pptx notes for Physiotherapy StudentsDrNidhiAgarwal

Unemployment is a major social problem, by which not only rural population have suffered but also urban population are suffered while they are literate having good qualification.The evil consequences like poverty, frustration, revolution result in crimes and social disorganization. Therefore, it is necessary that all efforts be made to have maximum. employment facilities. The Government of India has already announced that the question of payment of unemployment allowance cannot be considered in India

pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulsesushreesangita003

Biophysics Chapter 3 Methods of Studying Macromolecules.pdfPKLI-Institute of Nursing and Allied Health Sciences Lahore , Pakistan.

This chapter provides an in-depth overview of the viscosity of macromolecules, an essential concept in biophysics and medical sciences, especially in understanding fluid behavior like blood flow in the human body. Key concepts covered include: ✅ Definition and Types of Viscosity: Dynamic vs. Kinematic viscosity, cohesion, and adhesion. ⚙️ Methods of Measuring Viscosity: Rotary Viscometer Vibrational Viscometer Falling Object Method Capillary Viscometer 🌡️ Factors Affecting Viscosity: Temperature, composition, flow rate. 🩺 Clinical Relevance: Impact of blood viscosity in cardiovascular health. 🌊 Fluid Dynamics: Laminar vs. turbulent flow, Reynolds number. 🔬 Extension Techniques: Chromatography (adsorption, partition, TLC, etc.) Electrophoresis (protein/DNA separation) Sedimentation and Centrifugation methods.

Quality Contril Analysis of Containers.pdfDr. Bindiya Chauhan

YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptxYale School of Public Health - The Virtual Medical Operations Center (VMOC)

A measles outbreak originating in West Texas has been linked to confirmed cases in New Mexico, with additional cases reported in Oklahoma and Kansas. The current case count is 817 from Texas, New Mexico, Oklahoma, and Kansas. 97 individuals have required hospitalization, and 3 deaths, 2 children in Texas and one adult in New Mexico. These fatalities mark the first measles-related deaths in the United States since 2015 and the first pediatric measles death since 2003. The YSPH Virtual Medical Operations Center Briefs (VMOC) were created as a service-learning project by faculty and graduate students at the Yale School of Public Health in response to the 2010 Haiti Earthquake. Each year, the VMOC Briefs are produced by students enrolled in Environmental Health Science Course 581 - Public Health Emergencies: Disaster Planning and Response. These briefs compile diverse information sources – including status reports, maps, news articles, and web content– into a single, easily digestible document that can be widely shared and used interactively. Key features of this report include: - Comprehensive Overview: Provides situation updates, maps, relevant news, and web resources. - Accessibility: Designed for easy reading, wide distribution, and interactive use. - Collaboration: The “unlocked" format enables other responders to share, copy, and adapt seamlessly. The students learn by doing, quickly discovering how and where to find critical information and presenting it in an easily understood manner. CURRENT CASE COUNT: 817 (As of 05/3/2025) • Texas: 688 (+20)(62% of these cases are in Gaines County). • New Mexico: 67 (+1 )(92.4% of the cases are from Eddy County) • Oklahoma: 16 (+1) • Kansas: 46 (32% of the cases are from Gray County) HOSPITALIZATIONS: 97 (+2) • Texas: 89 (+2) - This is 13.02% of all TX cases. • New Mexico: 7 - This is 10.6% of all NM cases. • Kansas: 1 - This is 2.7% of all KS cases. DEATHS: 3 • Texas: 2 – This is 0.31% of all cases • New Mexico: 1 – This is 1.54% of all cases US NATIONAL CASE COUNT: 967 (Confirmed and suspected): INTERNATIONAL SPREAD (As of 4/2/2025) • Mexico – 865 (+58) ‒Chihuahua, Mexico: 844 (+58) cases, 3 hospitalizations, 1 fatality • Canada: 1531 (+270) (This reflects Ontario's Outbreak, which began 11/24) ‒Ontario, Canada – 1243 (+223) cases, 84 hospitalizations. • Europe: 6,814

Multi-currency in odoo accounting and Update exchange rates automatically in ...Celine George

Operations Management (Dr. Abdulfatah Salem).pdfArab Academy for Science, Technology and Maritime Transport

Unit 6_Introduction_Phishing_Password Cracking.pdfKanchanPatil34

P-glycoprotein pamphlet: iteration 4 of 4 finalbs22n2s

Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Library Association of Ireland

Metamorphosis: Life's Transformative JourneyArshad Shaikh

Presentation of the MIPLM subject matter expert Erdem KayaMIPLM

How to Subscribe Newsletter From Odoo 18 WebsiteCeline George

GDGLSPGCOER - Git and GitHub Workshop.pptxazeenhodekar

SPRING FESTIVITIES - UK AND USA -Colégio Santa Teresinha

Anti-Depressants pharmacology 1slide.pptxMayuri Chavan

K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schoolsdogden2

World war-1(Causes & impacts at a glance) PPT by Simanchala Sarab(BABed,sem-4...larencebapu132

One Hot encoding a revolution in Machine learningmomer9505

Understanding P–N Junction Semiconductors: A Beginner’s GuideGS Virdi

Social Problem-Unemployment .pptx notes for Physiotherapy StudentsDrNidhiAgarwal

pulse ppt.pptx Types of pulse , characteristics of pulse , Alteration of pulsesushreesangita003

Biophysics Chapter 3 Methods of Studying Macromolecules.pdfPKLI-Institute of Nursing and Allied Health Sciences Lahore , Pakistan.

Quality Contril Analysis of Containers.pdfDr. Bindiya Chauhan

YSPH VMOC Special Report - Measles Outbreak Southwest US 5-3-2025.pptxYale School of Public Health - The Virtual Medical Operations Center (VMOC)

Multi-currency in odoo accounting and Update exchange rates automatically in ...Celine George

Operations Management (Dr. Abdulfatah Salem).pdfArab Academy for Science, Technology and Maritime Transport

Unit 6_Introduction_Phishing_Password Cracking.pdfKanchanPatil34

P-glycoprotein pamphlet: iteration 4 of 4 finalbs22n2s

Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Library Association of Ireland

Metamorphosis: Life's Transformative JourneyArshad Shaikh

Presentation of the MIPLM subject matter expert Erdem KayaMIPLM

Insecure direct object reference (null delhi meet)

1. Insecure Direct Object Reference What, Why, and How? Presented by, Abhinav Mishra Founder, ENCIPHERS www.enciphers.com

2. First thing’s first. Why IDOR? Why talk about a vulnerability like IDOR when there are more intense attacks like SQL Injection and Remote Code Execution? ● Exploitation is cool ● Very common in Rest API ● Scanners are useless in discovering them ● High impact ● Great bounty

3. Also... Can’t see IDOR in OWASP TOP 10 2017?

4. What is IDOR? Consider a URL for deleting the profile pic of a certain user: https://samplesite.com/deleteProfilePic?id=127 If the application is vulnerable to IDOR: https://samplesite.com/deleteProfilePic?id=128 Will delete the Profile Pic of Another User having the id of “128”

5. So what is an Object? ● Any user data/information like, pictures, profile, account, files etc ● Social Network: ○ Posts, users (blocked?), videos, pics, friends etc ● Ecommerce: ○ Credit card, private info, cart ● Other: ○ Messages, private posts, friends, files, documents etc

6. Another bad example... Let’s suppose this is the URL which you get when you want to see your purchases from your favorite e-commerce site: https://ecommercesite.com/purchase.html?uid=25673 What if the application is vulnerable to IDOR: https://ecommercesite.com/purchase.html?uid=25675 Will show the purchases for some other User whose user id is “25675”

7. So, how to find these? ● Capture all the traffic in a proxy ● Find all the requests (GET or POST) which has any object identifier like id, pid, uid etc ● Create another account and get the identifiers from both accounts. ● Use one of the account’s sessions/auth header and replay each request with the object identifier from another account. ● Can you access/edit any of the object from another account? ● Report bug, get paid (if not duplicate)

8. When it’s not actually critical? When the identifiers are like 2896519846826592fgweut924293 You can’t actually guess the other identifiers, then how would you access them? So? Is it no more a vulnerability?

9. Actually it still can be.. Try to find a way to get other’s identifier values? Example: /api/v2/users/ Or /api/v2/files/ These may not give details of the files, but may give the file identifiers and name etc.

10. Resources? Bugcrowd Blog: Link Owasp Link How to test (Burp Suite): Link Need help? Find me @0ctac0der

Insecure direct object reference (null delhi meet)

Recommended

More Related Content

What's hot (20)

Similar to Insecure direct object reference (null delhi meet) (20)

More from Abhinav Mishra (7)

Recently uploaded (20)

Insecure direct object reference (null delhi meet)