PimpMyBurp #1 – PwnFox + Autorize: The perfect combo to find IDOR

Categories
Talent Development YesWeRHackers

A guest post by @adrien_jeanneau

Insecure Direct Object Reference (IDOR) are still in the Top 10 OWASP in 2021 and there’s a good reason for that: IDOR vulnerabilities are common in web applications, especially in APIs. How do we find these vulnerabilities? How can you optimize your IDOR discovery time? How can you go further? Let’s see together!

First step, let me introduce you to PwnFox

Have you already heard of PwnFox? This free plugin for Firefox & Burp Suite have been developed by our tech ambassador @Bitk.

PwnFox uses Firefox container feature to hold multiple unique sessions in the same browser window.
(TL;DR: no more need to have 3 Firefox instances opened in private browsing mode)

For an optimal use of PwnFox, you’ll need two things:

  • The PwnFox Firefox extension to proxy your web browser with Burp Suite and dispose of up to 8 different containers
  • The Burp Plugin : to add beautifully highlight your requests in burp, and allow you to easily match them with your different containers sessions by colors (in HTTP History for example)

On the Firefox side, once the plugin is installed, you can open a new tab and each tab will be colored to easily recognize your different hunting perimeter segments.

tabs

On Burp Suite, once the extension is installed (from the GitHub project), you will automatically be able to match your different requests on the “HTTP history” tab. Each requests are grouped and highlighted using the same color as your corresponding containers tabs on Firefox.

PwnFox extension in Burp Suite to use containers in Firefox and highlight requests for each containers

From that point, you may already see this plugin’s goal and how it can be used to find IDOR and Improper Access Control vulnerabilities.

On your target, open two and more PwnFox tabs with different users and roles in each containers. For example, one with “admin” role and two with a “member” role. Now carefully explore your target web app, try to enumerate the APIs endpoints you can discover for each role, and every method available: PATCH, GET, POST, PUT, DELETE…
Every requests you will make will be highlighted and colored in your [HTTP history] Burp tab.

If you want to test IDOR vulnerabilities, you can select a line (ex: green for the “admin” role) and send it to Burp’s repeater. Then select another line, ( ex: red for “member” role) and send it also to the repeater.
Now you can try to cross-breed the admin request along with the member‘s authentication cookies and see what happens! Maybe luck will be with you!

Next  step, install and discover Autorize

Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert. Autorize was designed to help security testers to perform automatic authorization testing.

To install Autorize, open Burp Suite and go on the tab Extender > BApp Store, select Autorize in the list of extension and click on Install.

Once the plugin is installed, you should see a new tab in Burp Suite, called “Autorize”.

The Autorize interface is split in two parts :

  • Left part: All requests which have been tested by Autorize will be displayed in this part;
  • Right part: The global configuration of the plugin (headers for cookie, filters, table, enforcement…) and also the request & response viewer;

How to use it?

First, to avoid being polluted by resources or URLs that are not inside your scope, we recommend to start by adding a new Interception Filters. Go on Interception Filters > Select “Scope items only: (Content is not required) and click on Add filter (be sure to have a scope set in Target > Scope).

Once this is done, open your web browser and create two accounts on your target scope ([attacker] and [victim]). Log on to your [attacker] account and in the Intercept or proxy tab, copy the cookie of your [attacker] session (this may also be a header string like JWT token) and paste the value to the configuration inside the Autorize tab.

You’re now ready to test for IDORs from your [victim] account. On Autorize, click on Authorize is off to start. Autorize can do many things for you, but you also need to work for him 🙂

From your current [victim] account session, try as many things you can on your target: add new data, tamper with your data, delete them, test all the features, the goal here is to accumulate the maximum number of queries inside the Autorize tab.

What’s going on? It’s like a Christmas tree

To clearly identify potentials IDORs, Autorize use colors highlighting in Authz Status and Unauth Status columns:

  • Red “bypassed!”: endpoint could be vulnerable to IDOR,
  • Orange “Is enforced!”: endpoint seems to be protected but look anyway,
  • Green “Enforced!”: endpoint is clearly protected against IDOR.

Be careful, Autorize displaying many red highlight requests does not mean that all endpoints are systematically vulnerable. There may be false positives, it’s up to you to double-check the output.

Now compare the responses size between each query: if it’s the same, go deeper!:

  • Orig. Len: is the size of the response from our original session (our [victim] account)
  • Modif. Len: is the response from the same request replayed by Autorize using the [attacker] cookies (automatically replayed by Autorize)
  • Unauth. Len: is also the same request as our victim account but without cookies session (to test if the endpoint is vulnerable to Improper Access Control)

Click on the interesting request and check the Request/Response Viewers tab (right):

Modified Response correspond to the server response to our [victim] request but with our [attacker] cookies. As we can see, many information are displayed and a vulnerability of the IDOR type seems to exist.

Original Response correspond to the server response to our original [victim] request. It’s useful to compare the response between our two accounts and to detect false positive.

Unauthenticated Response is the server response to the request but without any auth cookie.

By using these two plugins, you should have a better chance of finding IDOR and Improper Access Control vulnerabilities. Moreover, it allows you to automate some queries and focus on the interesting ones.

We hope you liked this article, feel free to share with us your best Burp plugins and see you soon for the PimpMyBurp #2