$$$$ IDOR’s — How to find IDORs in Ecommerce sites?

JunoonBro
4 min readFeb 17, 2023

--

Introduction:

In the world of ecommerce, it is crucial to have strong security measures in place to protect sensitive information and prevent fraudulent activity. However, one type of vulnerability that is often overlooked is Insecure Direct Object Reference (IDOR). IDOR vulnerabilities occur when an attacker is able to access or modify sensitive data by directly referencing an object without any authorization.

As ecommerce sites often handle large amounts of personal and financial information, it is important to recognize the potential for IDOR vulnerabilities and take steps to prevent them.

Areas in Ecommerce Websites Vulnerable to IDOR Attacks:

There are several areas in ecommerce websites that are particularly vulnerable to IDOR attacks. These include:

  • Order status: An attacker may be able to access or modify the status of orders that do not belong to them.
  • Order history: An attacker may be able to view or modify the order history of other users.
  • Account details: An attacker may be able to access or modify personal information such as email addresses or payment methods.
  • PDF download: An attacker may be able to download PDF files or order status of other users.

If you are aware of other areas, don’t forget to mention in the comment section :)

Description of areas in ecommerce websites that are prone to IDOR attacks:

In ecommerce websites, there are several areas that are particularly prone to IDOR attacks. These areas include:

  • URLs that include a reference to a user’s private data, such as order numbers or account IDs.
  • Pages that allow users to view or modify their own data, such as order status or account details.
  • Pages that generate dynamic content, such as PDF downloads.

If these areas are not properly secured, an attacker can use IDOR attacks to gain unauthorized access to sensitive data, modify order statuses, and more.

Explanation of how IDOR attacks can occur in these areas:

IDOR attacks occur when an attacker can directly reference a sensitive object without any authorization. In ecommerce websites, this can occur when a page or URL includes a reference to private data, but does not properly check the user’s authorization to access that data.

For example, a page that allows users to view their own order history may include a URL that looks like this:

https://example.com/account/orders/12345

If an attacker simply changes the order number in the URL to another user’s order number, they may be able to view that user’s order history without proper authorization.

My Recent Experience Testing Ecommerce Sites:

During my recent experience testing ecommerce sites, I discovered two IDOR vulnerabilities in an ecommerce website. These vulnerabilities allowed me to access other users’ order history and download PDF files and order status for other users.

These vulnerabilities were both related to improper authorization checks on URLs that included references to private data. By modifying these URLs, I was able to gain access to sensitive data that should have been protected.

Overview of recent experience testing ecommerce sites:

During my recent experience testing ecommerce sites, I had the opportunity to analyze the security of various ecommerce websites. While some websites had robust security measures in place, others had vulnerabilities that could be exploited by attackers.

Discovery of two IDOR vulnerabilities in an ecommerce site:

During my testing, I discovered two IDOR vulnerabilities in an ecommerce website. These vulnerabilities allowed me to access other users’ order history and download PDF files and order status for other users.

The vulnerabilities were related to improper authorization checks on URLs that included references to private data. By modifying these URLs, I was able to gain access to sensitive data that should have been protected.

IDOR Vulnerability in Account History Page:

One of the IDOR vulnerabilities I discovered was related to the account history page on the ecommerce website. This page allowed users to view their own order history by providing the order number in the HTTP request.

However, by changing the value of the “orderno” parameter in the HTTP request, an attacker could access the order history of other users. For example, an attacker could use the following HTTP request to access the order history of another user:

GET /account.php?history=y&orderno=10425128 HTTP/2

By exploiting this vulnerability, an attacker could potentially access sensitive information about other users, such as their order details and shipping address.

IDOR Vulnerability in PDF Download Feature:

The second IDOR vulnerability I discovered in the ecommerce website was related to the PDF download feature. The website allowed users to download a PDF file of their order details by accessing the URL https://example.com/pdf/<orderno>.pdf.

However, by changing the order number in the URL to another user’s order number, an attacker could download the PDF file for that user’s order. For example, an attacker could use the following URL to download the PDF file for another user’s order:

https://example.com/pdf/10425128.pdf

Conclusion:

In this article, we discussed IDOR (Insecure Direct Object Reference) vulnerabilities in ecommerce websites. These vulnerabilities can occur when an attacker can access and manipulate data without proper authorization checks. We identified two areas in ecommerce websites that are particularly vulnerable to IDOR attacks: account history pages and PDF download features.

Encouragement for ecommerce websites to take steps to prevent IDOR attacks:

Ecommerce websites should take steps to prevent IDOR attacks by implementing proper authorization checks and secure coding practices. This can include measures such as access controls, input validation, and output encoding. Regular security testing can also help identify vulnerabilities and ensure that websites remain secure over time. By taking these steps, ecommerce websites can reduce the risk of IDOR attacks and better protect their users’ sensitive information.

--

--

JunoonBro
JunoonBro

Written by JunoonBro

A Cyber Security Entrepreneur & Researcher with a knack to stumble upon blunders with a proven history of working in the software industry