ZTH : Continued

Introduction

These vulns won't get you RCE, or LFI, but they will allow you to access sensitive information that a client would want to keep protected.


Insecure Direct Object Reference (IDOR)

It is the act of exploiting a misconfiguration in the way user input is handled, to access resources you wouldn't ordinarily be able to access.

For example, let's say we're logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234. On that page we can see all our important bank details, and a user would do whatever they needed to do and move along their way thinking nothing is wrong.

There is however a potentially huge problem here, a hacker may be able to change the account_number parameter to something else like 1235, and if the site is incorrectly configured, then he would have access to someone else's bank information.


Forced Browsing

Forced browsing is the art of using logic to find resources on the website that you would not normally be able to access. For example let's say we have a note taking site, that is structured like this. http://example.com/user1/note.txt. It stands to reason that if we did http://example.com/user2/note.txt we may be able to access user2's note.

Taking this a step further, if we ran wfuzz on that url, we could enumerate users we don't know about, as well as get their notes. This is quite devastating, because we can then run further attacks on the users we find, for example bruteforcing each user we find, to see if they have weak passwords.

Automatic Exploitation ()

A tool such as wfuzz or dirsearch can find resources that normal users wouldn't be able to find. wfuzz will be the better tool in most cases, as it allows you better control over the path, so we'll go over basic wfuzz usage, and use it to exploit the our example site. wfuzz can be installed using pip3 install wfuzz.


API Bypassing

APIs are by definition incredibly versatile, and finding out how to exploit them, will require a lot of research and effort by the hacker. The following situation is only one possible scenario out of a near infinite number.

  1. We start off with a basic login.

  2. Logging in gives us an admin panel.

  3. It seems we can run system commands here, so let's try running id.

  4. If we found the api.php page through dirsearching, and a cmd parameter through fuzz, we would never have needed to use the login panel.


Last updated