Insecure DOR (Change Secret)

bWAPP – Insecure DOR (Change Secret)

In this walk through, we will be going through the Insecure DOR (Change Secret) vulnerability section from bWAPP Labs. We will be exploring and exploiting IDOR in Change Secret implementations and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Insecure DOR (Change Secret)

Table of Contents

Security: Low

  • Setting the security level to Low.

Security level Low

  • The application has change secret functionality where a user can change his secret. It issues a POST request to insecure_direct_object_ref_1.php file to save the secret in the DB.

Insecure DOR (Change Secret)

Burpsuite intercept

  • As per the source code and the intercepted request, it is sending the username with the input secret however it has been hardcoded and is being hidden in the page source. Changing the username cause the IDOR. I changed it to another user A.I.M in the system and was able to change it successfully.

Page source code

Burpsuite intercept

IDOR confirmed

  • Checking the changed secret in the DB.

root@568543f550ea:/var/www/html/logs# mysql -u root -p
mysql> show database();
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database()' at line 1
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| bWAPP              |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)

mysql> use bWAPP;   
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from users;
+----+--------+------------------------------------------+--------------------------+-------------------------------------+-----------------+-----------+------------+-------+
| id | login  | password                                 | email                    | secret                              | activation_code | activated | reset_code | admin |
+----+--------+------------------------------------------+--------------------------+-------------------------------------+-----------------+-----------+------------+-------+
|  1 | A.I.M. | 6885858486f31043e5839c735d99457f045affd0 | bwapp-aim@mailinator.com | A.I.M. or Authentication Is Missing | NULL            |         1 | NULL       |     1 |
|  2 | bee    | 6885858486f31043e5839c735d99457f045affd0 | bwapp-bee@mailinator.com | Hello Friend                        | NULL            |         1 | NULL       |     1 |
+----+--------+------------------------------------------+--------------------------+-------------------------------------+-----------------+-----------+------------+-------+
2 rows in set (0.00 sec)

mysql> 

Database dump

Also Read: bWAPP – HTML5 Web Storage (Secret)

Conclusion:

bWAPP - Insecure DOR (Change Secret)

So, we finally completed all the security levels for the bWAPP Insecure DOR (Change Secret) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. IDOR attacks can be mitigated by implementing access control checks for each object that users are trying to access. The Web frameworks often provide ways to facilitate this. Along with that, avoid exposing identifiers in URLs and POST bodies if possible. Instead, determine the currently authenticated user from session information. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top