Read Sensitive Information/Iterable Object Identifiers

Overview of the Vulnerability

Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to read sensitive information by iterating through object identifiers.

Business Impact

IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.

In the context of the vulnerable code provided, the primary category of the IDOR vulnerability would be:

Read Sensitive Information Iterable Object Identifiers

Gruames_Site/
    ├── templates/
    │   └── games/
    │       ├── dashboard.html
    │       ├── gamer_details.html
    │       ├── login.html
    │       └── logout.html
    ├── __init__.py
    ├── apps.py
    ├── forms.py
    ├── models.py
    ├── urls.py
    ├── views.py
    └── website/
        ├── __init__.py
        ├── settings.py
        ├── urls.py
        └── wsgi.py

from __future__ import unicode_literals
from django.db import models
from django.contrib.auth.models import User

# Model for team participating in competition.
class Team(models.Model):
    name = models.CharField(max_length=15)

    def __str__(self):
        return self.name

# Model for gamer profiles.
class GamerProfile(models.Model):
    alias_name = models.CharField(max_length=40)
    game_name = models.CharField(max_length=30)
    score = models.IntegerField()
    team = models.ForeignKey(Team, on_delete=models.CASCADE)
    user = models.ForeignKey(User, on_delete=models.CASCADE)

    def __str__(self):
        return self.alias_name

from django.shortcuts import render
from django.contrib.auth import authenticate, login, logout
from django.core.urlresolvers import reverse
from django.http import HttpResponseRedirect, HttpResponse
from django.contrib import messages
from django.contrib.auth import decorators
from django.shortcuts import get_object_or_404
from games.models import GamerProfile, Team
from games.forms import LoginForm

# User login process
def user_login(request):
    if request.method == 'POST':
        form = LoginForm(request.POST)
        if form.is_valid():
            user_name = form.cleaned_data['username']
            pass_word = form.cleaned_data['password']
            user = authenticate(username=user_name, password=pass_word)
            if user is not None:
                if user.is_active:
                    login(request, user)
                    return HttpResponseRedirect(reverse('games:dashboard'))
                else:
                    messages.error(request, 'User  is disabled.')
            else:
                form = LoginForm()
                messages.error(request, 'Incorrect Login Details. Please try again')
    else:
        form = LoginForm()

    return render(request, 'games/login.html', {'form': form})

# User gaming dashboard
@decorators.login_required(login_url='/games/login/')
def dashboard(request):
    team = get_object_or_404(Team, user=request.user)
    team_gamers = GamerProfile.objects.filter(team=team)
    return render(request, 'games/dashboard.html', {'team_gamers': team_gamers})

# User Team members
@decorators.login_required(login_url='/games/login/')
def gamer_profile(request, gamer_id):
    gamer_details = get_object_or_404(GamerProfile, pk=gamer_id)
    return render(request, 'games/gamer_details.html', {'gamer': gamer_details})

# User logout
@decorators.login_required(login_url='/games/login/')
def log_out(request):
    logout(request)
    return render(request, 'games/logout.html', {})

from __future__ import unicode_literals
import os
from django.core.exceptions import ImproperlyConfigured

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'games.apps.GamesConfig',
]

ROOT_URLCONF = 'website.urls'
WSGI_APPLICATION = 'website.wsgi.application'
DEBUG = False

ALLOWED_HOSTS = [
    'randomapp.securecodewarrior.com'
]

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True

try:
    SECRET_KEY = os.environ['DJANGO__SECRET_KEY']
    DATABASES = {
        'default': {
            'ENGINE': 'django.db.backends.postgresql',
            'NAME': os.environ['DJANGO__DB_NAME'],
            'USER': os.environ['DJANGO__DB_USER'],
            'PASSWORD': os.environ['DJANGO__DB_PASSWORD'],
            'HOST': os.environ['DJANGO__DB_HOST'],
            'PORT': os.environ['DJANGO__DB_PORT'],
        }
    }
except KeyError as ex:
    key = ex.args[0]
    raise ImproperlyConfigured("The environment variable {0} was not found and is required".format(key))

MIDDLEWARE_CLASSES = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib

from django.conf.urls import url
from . import views

urlpatterns = [
    # User login URL
    url(r'login/$', views.user_login, name='login'),

    # User dashboard URL
    url(r'dashboard/$', views.dashboard, name='dashboard'),

    # User logout URL
    url(r'logout/$', views.log_out, name='logout'),

    # User transactions URL with transaction ID as a parameter
    url(r'user_transactions/(?P<transaction_id>[0-9]+)/$', views.user_transactions, name='user_transactions'),
]

from django.contrib.auth import authenticate, login, logout
from django.http import HttpResponseRedirect
from django.core.urlresolvers import reverse
from django.shortcuts import render, get_object_or_404
from django.contrib import messages
from django.contrib.auth.decorators import login_required

from bank.models import TransactionDetails
from bank.forms import LoginForm

# User login process
def user_login(request):
    # Checking the request method
    if request.method == 'POST':
        # Create a form instance and populate it with data from the request
        form = LoginForm(request.POST)

        if form.is_valid():
            # Fetching the username and password from POST methods
            user_name = form.cleaned_data['username']
            pass_word = form.cleaned_data['password']

            # Authenticating the user
            user = authenticate(username=user_name, password=pass_word)

            # Checking if the user is successfully authenticated
            if user is not None:
                # Login the user and create a user session
                if user.is_active:
                    login(request, user)
                    return HttpResponseRedirect(reverse('bank:dashboard'))
                else:
                    messages.error(request, 'User  is disabled.')
            else:
                form = LoginForm()
                # Flashing a message on incorrect login credentials
                messages.error(request, 'Incorrect Login Details. Please try again.')
    else:
        # Creating a form instance
        form = LoginForm()

    return render(request, 'bank/login.html', {'form': form})

# View for logging out the user
@login_required(login_url='/bank/login/')
def log_out(request):
    logout(request)
    return render(request, 'bank/logout.html', {})

# View to let the user check the list of all transactions
@login_required(login_url='/bank/login/')
def dashboard(request):
    transactions = TransactionDetails.objects.filter(user=request.user)
    return render(request, 'bank/dashboard.html', {'transactions': transactions})

# View for the logged users to check the bank transaction details
@login_required(login_url='/bank/login/')
def user_transactions(request, transaction_id):
    transaction_details = get_object_or_404(TransactionDetails, id=transaction_id)
    return render(request, 'bank/transactions.html', {'transaction_details': transaction_details})

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Transactions Page</title>
</head>
<body>
    <h4><u>Transaction Details</u></h4>
    
    <b>Account No: </b> {{ transaction_details.to_account_no }}<br>
    <b>Type: </b> {{ transaction_details.get_transaction_type_display }}<br>
    <b>Amount: </b> {{ transaction_details.amount }}<br>
    <b>Time of Transaction: </b> {{ transaction_details.date }}<br>

    <br><br>
    <b><a href="{% url 'bank:logout' %}">LogOut</a></b>
</body>
</html>

Key Areas to Examine

Gamer Profile Access: The gamer_profile view function in views.py is a potential area for IDOR vulnerabilities. Here’s the relevant code:

@decorators.login_required(login_url='/games/login/')
def gamer_profile(request, gamer_id):
    gamer_details = get_object_or_404(GamerProfile, pk=gamer_id)
    return render(request, 'games/gamer_details.html', {'gamer': gamer_details, })

Potential IDOR Vulnerability

Gamer Profile Access: The gamer_profile function retrieves a GamerProfile object based on the gamer_id provided in the URL. If the gamer_id is simply an integer that corresponds to the primary key of the GamerProfile model, a user could potentially manipulate the URL to access
Read Sensitive Information: The gamer_profile function allows users to read (view) the details of a GamerProfile based on the gamer_id provided in the URL. If a user can manipulate this ID to access another user's profile, it constitutes a vulnerability.
Iterable Object Identifiers: The gamer_id is a predictable integer (the primary key of the GamerProfile model), which means that users can iterate through possible IDs (e.g., /gamer_profile/1/, /gamer_profile/2/, etc.) to access profiles they should not have permission to view

Lack of Access Control

No User Ownership Check: The code does not check if the logged-in user is the owner of the GamerProfile they are trying to access. This means that any authenticated user could potentially access any GamerProfile by guessing or iterating through IDs.

Example of How This Could Be Exploited

User A has a gamer profile with gamer_id = 1.
User B logs in and knows User A's gamer_id.
User B accesses /gamer_profile/1/ and views User A's profile.
User B changes the URL to /gamer_profile/2/ and accesses another user's profile, assuming they know the ID.

Recommendations to Mitigate IDOR

Ownership Check: Before retrieving the GamerProfile, check if the logged-in user is the owner of that profile:

@decorators.login_required(login_url='/games/login/')
def gamer_profile(request, gamer_id):
    gamer_details = get_object_or_404(GamerProfile, pk=gamer_id, user=request.user)
    return render(request, 'games/gamer_details.html', {'gamer': gamer_details, })

Use UUIDs or Random Tokens: Instead of using sequential integers for IDs, consider using UUIDs or random tokens that are not easily guessable.
Implement Role-Based Access Control (RBAC): Ensure that users can only access resources they are authorized to view based on their roles.

Summary

Thus, the vulnerability in the provided code falls under the category of Read Sensitive Information Iterable Object Identifiers, as it allows unauthorized users to read sensitive information (gamer profiles) by manipulating the object identifiers (gamer IDs) in the URL.

Here are some examples of types of websites and applications that have similar functionality, structure, and business logic to the code you provided, which could be vulnerable to IDOR weaknesses:

1. Online Gaming Platforms

Example: Websites like Twitch or Steam where users have profiles that display their gaming statistics, achievements, and friends lists.
Vulnerability: If user profiles are accessed via predictable IDs (e.g., /user/profile/123), an attacker could manipulate the URL to view other users' profiles, potentially exposing sensitive information like personal details, gaming history, or private messages.

Example: Platforms like Discord or GameBattles where users can create profiles, join teams, and share achievements.
Vulnerability: If users can access other users' profiles or team information by changing IDs in the URL, they could gain unauthorized access to private messages, team strategies, or sensitive user data.

3. Competitive Gaming Websites

Example: Websites like Battlefy or Challonge that host tournaments and allow users to create profiles, join teams, and view match statistics.
Vulnerability: If tournament participants can access each other's profiles or match results by manipulating URLs, it could lead to unauthorized access to sensitive competition data or personal information.

4. E-Sports Team Management Platforms

Example: Websites like GamerLink or TeamSpeak where users can manage teams, view player statistics, and communicate with team members.
Vulnerability: If team management features allow users to access other team members' profiles or statistics through predictable URLs, it could expose sensitive information about team strategies or player performance.

5. Gaming Community Forums

Example: Forums like NeoGAF or ResetEra where users have profiles that display their posts, achievements, and personal information.
Vulnerability: If users can access other members' profiles by changing the user ID in the URL, it could lead to unauthorized viewing of private messages, posts, or personal information.

6. Game Development Platforms

Example: Platforms like itch.io or Game Jolt where developers can create profiles, showcase their games, and interact with users.
Vulnerability: If developers can access each other's profiles or game statistics through predictable identifiers, it could expose sensitive information about game development processes or unpublished projects.

Conclusion

These types of websites and applications share similar functionality and business logic with the code you provided. They could be vulnerable to IDOR attacks if they do not implement proper access controls and validation checks on user permissions when accessing user-specific resources. To mitigate these risks, it is crucial to enforce strict access controls and validate user ownership before allowing access to sensitive information.

Steps to Reproduce

Use a browser to navigate to: {{URL}}
Login to User Account A
In the URL bar, modify the parameter to a different value:

Observe that the application displays information of User Account B, as seen in the screenshot below:

Proof of Concept (PoC)

Below is a screenshot demonstrating the exposed object executing:

A malicious attacker could leverage this IDOR vulnerability to read data by using the following payload:

{{payload}}

The following screenshot(s) demonstrate(s) this additional impact:

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Your submission must include evidence of the vulnerability and not be theoretical in nature.

To demonstrate access to sensitive information, self register two separate accounts and clearly demonstrate how you view the "victim" account information from the "attacker" account.

If identified, do not access or attempt to access sensitive information. Do not access Personally Identifiable Information (PII) as there are legal consequences to doing so.

Recommendation(s)

Preventing IDOR involves ensuring that each user accessible object is sufficiently protected. When an object is requested by an untrusted source, each request should pass through an access control check to ensure that the user has authorization to access that object.

These authorization checks should also occur when a known user requests a resource so that the users can only access data from within their intended permissions group.

Additionally, hash functions and hashed strings should be used to map an object instead of a direct ID, so that it is not a predictable value and easily guessed.

For more information, refer to the following resource:

https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html

PreviousInsecure Direct Object References (IDOR)NextMissing Function Level Access Control

Last updated 10 months ago