+1 (512) 588 6950
Step-by-step guide for uncovering Broken Access Control and Indirect Object Reference vulnerabilities for bug bounty hunters and pentesters.
As bug bounty hunters and pentesters, one of the most rewarding vulnerabilities to uncover are Broken Access Control (BAC) and Insecure Direct Object Reference (IDOR). In this article, we’ll discuss what BAC and IDOR vulnerabilities are, basic testing methodology, IDOR with UUID, Blind IDOR, and automating with the Auth Analyzer Burp Extension.
Broken access control (BAC) is a type of vulnerability where users can access or perform actions they should not have permission to access due to lack of proper validation or authentication checks.
/adminis not visible on the front end.
Indirect Object Reference (IDOR) is a type of BAC vulnerability caused by using user-supplied input as a direct reference to an object without proper validation.
/accountpage with parameter
id=102, accessing User B’s account information.
Blind IDORs are harder to notice, but very rewarding. A blind IDOR is a specific flavor of IDOR that isn’t obvious in the HTTP response, but is leaked in notification emails, SMS text messages, or exported files.
Example Blind IDOR:
userIDin any request.
200status code, but no other information.
When looking for IDORs, not only are numeric IDs susceptible, but in some cases Universal Unique Identifiers (UUIDs). A UUID is a cryptographically generated identifier, used in a similar way to IDs, but less vulnerable to enumeration. That said, there is a way to find vulnerabilities.
The Auth Analyzer Burp Extension is my personal favorite way to automate the process of finding BAC and IDOR vulnerabilities.
How to use Auth Analyzer:
1. Copy session cookies and authorization headers from different users and paste them into Auth Analyzer.
2. Click the
Start Analyzer button.
3. Do things in the browser using the session of your highest privilege user.
4. Look at the Auth Analyzer matrix and see if any requests have the
5. Now try it manually in repeater to validate.
6. If User A can do something that only User B should be able to do, 💥 vulnerability.
Analyzing Auth Analyzer Output
There will be a lot of noise, so the hardest part to figure out is which results are real vulnerabilities and which ones to ignore.
Here’s a handy table with the different vulnerability types:
Broken authentication is when a completely unauthenticated user can access something. This is even worse than BAC and IDOR because no user account is needed to exploit it.
Bug bounty hunters and pentesters, there is a whole world of BAC and IDOR out there because they’re so easy to cause accidentally, but most find it difficult to test. With the techniques and tools mentioned here, you can discover vulnerabilities before anyone else.