IDOR / PrivEsc

Basically need to try and view things which you should not be able to see such as other peoples order invoices, account details or messages.

Loads of different ways to test for this but really all you are looking for is static numbers etc, such as uid, invoiceNumber, OrderNumber etc.

Windows - URL based - Open all URLs in firefox

Walk the application as a high privileged user and collect all of the URLs generated while browsing. Marking them with colours can help identify the admin pages.

Create a bat file and paste all of the URLs

Perform a find and replace for all of the strings such as:

https://targetsite.com
Replace with
"C:\Program Files\Mozilla Firefox\firefox.exe" https://targetsite.com

Login as a low priv user in firefox and open the bat file while burp intercept is off and review the pages you have access to.

Some of the requests may log you out so just delete them out of the list until you have all of them opening without breaking your session.

Its not the best way to test for it but sometimes visually inspecting the pages is easier.

Autorize - Burpsuite Plugin

  1. Follow these steps:

  2. Login to the target application as a low privileged user

  3. Go to Autorize tab in burp - autorize should be off

  4. Click Configuration

  5. Click Fetch cookies from last request (low priv cookies)

  6. Open incognito window

  7. Login as high privileged user

  8. Click Autorize is off to turn it on

  9. Go to areas of site that are admin/ high priv only Look for orange/green in the columns

There are 3 enforcement statuses:

  • Bypassed! - Red color

  • Enforced! - Green color

  • Is enforced??? (please configure enforcement detector) - Yellow color

The first 2 statuses are clear, so I won’t elaborate on them.

The 3rd status means that Autorize cannot determine if authorization is enforced or not, and so Autorize will ask you to configure a filter in the enforcement detector tabs. There are two different enforcement detector tabs, one for the detection of the enforcement of low-privileged requests and one for the detection of the enforcement of unauthenticated requests.

The enforcement detector filters will allow Autorize to detect authentication and authorization enforcement in the response of the server by content length or string (literal string or regex) in the message body, headers or in the full request.

For example, if there is a request enforcement status that is detected as "Authorization enforced??? (please configure enforcement detector)" it is possible to investigate the modified/original/unauthenticated response and see that the modified response body includes the string "You are not authorized to perform action", so you can add a filter with the fingerprint value "You are not authorized to perform action", so Autorize will look for this fingerprint and will automatically detect that authorization is enforced. It is possible to do the same by defining content-length filter or fingerprint in headers.

For more info check the readme

https://github.com/Quitten/Autorize