Prerequisite Knowledge:#
Access control is the restriction of who or what is authorized to perform an action or access a specific resource.
An access control vulnerability is a security flaw that allows unauthorized users to access, modify, or delete data they are not permitted to interact with.
Common types of access control:
- Discretionary Access Control (DAC): Access is controlled based on an Access Control List (ACL). The owner of the resource has full discretion to determine who can access it and what actions (Read, Write, Execute) they can perform.
- Mandatory Access Control (MAC): Each user is assigned a clearance level, and each resource is assigned a corresponding security label. Users can only access the resource if their clearance level is equal to or higher than the resource’s label. Unlike DAC, users cannot decide how to share resources; a central system enforces access rules based on “Security Labels”.
- Role-Based Access Control (RBAC): If an employee changes departments, the system simply revokes their old role and assigns a new one, and all access rights will change accordingly. This is the standard model in modern enterprises. Access rights are assigned to Roles rather than individual users.
- Attribute-Based Access Control (ABAC): The system evaluates the attributes of the User (e.g., department, job title), the Resource (e.g., data type, sensitivity level), and the Environment (e.g., time of access, geographical location, IP address).
In a Database Management System (DBMS), Access Control models propagate from the highest structural level (Instance/Database) down to the smallest elements (Table, Column, Row).
DAC: Implemented via Data Control Language (DCL) commands. The creator of a table is the default owner and has the right to grant permissions to others.
- Propagation method: Uses
GRANTorREVOKEcommands. - Impact on data:
- High flexibility but with fragmentation risks: Data can be easily shared among workgroups. However, if a user accidentally issues a
GRANT ALLto a public account, the entire data table could be exposed. - Vulnerability impact: If a web application suffers from SQL Injection and connects to the database using an account with excessive DAC privileges (e.g., a root account), an attacker can easily dump the entire system’s data rather than being restricted to a single user’s table.
- High flexibility but with fragmentation risks: Data can be easily shared among workgroups. However, if a user accidentally issues a
- Propagation method: Uses
MAC: Often implemented in databases as Row-Level Security (RLS) or through integrated security labels (like Oracle Label Security).
- Propagation method: Each row in the database is appended with a hidden column containing a “Security Label”. The management system automatically checks this label against the user’s Clearance level.
- Impact on data:
- Absolute integrity: Even if a Database Administrator (DBA) runs a
SELECT * FROM Projectsquery, the DBMS will automatically filter and only return data with security labels lower than or equal to the DBA’s label. - Data leakage prevention: Completely prevents sensitive data from leaking outside the secure zone, although this comes with a significant CPU overhead when querying tables with millions of rows.
- Absolute integrity: Even if a Database Administrator (DBA) runs a
RBAC: The standard model in modern DBMS environments.
- Propagation method: Administrators create Roles such as
db_datareader,db_owner, ordb_datawriterto assign Users to. - Impact on data:
- Data lifecycle management: Helps organizations easily grant permissions in bulk. When an engineer switches projects, the system only needs to change their Role, immediately cutting off Read/Write access to the associated databases and protecting data from former users.
- Exploitation perspective: If the system does not strictly enforce Role separation, an attacker who compromises a low-level Role account (like ReadOnly) could attempt to exploit Stored Procedures running with higher Role privileges to gain control of the entire Database.
- Propagation method: Administrators create Roles such as
ABAC: ABAC maximizes its potential when the Database is hosted on Cloud infrastructure. ABAC controls access rights based on metadata and current states.
- Propagation method: Access policies written in JSON or XML evaluate access requests in real-time before the data stream reaches the Database.
- Impact on data:
- Contextual data protection: Secures data against attacks originating outside the internal network, prevents data dumping outside of working hours, or automatically blocks access to Clusters if the accessing device fails a security health check.
Questions & Answers#
- What is an Insecure Direct Object Reference (IDOR), and how does it present a security risk in web applications?
- Insecure Direct Object Reference (IDOR) is a vulnerability that allows users to directly access an object by supplying a value to a parameter.
- IDOR allows a standard user to access sensitive data.
- How can attackers exploit IDOR vulnerabilities in a website, and what are some common techniques used in such attacks?
- Attackers can exploit the vulnerability by directly supplying values into query parameters.
- Common techniques used in these attacks include:
- URL Tampering: The attacker modifies query parameters in the URL to access another user’s sensitive data.
- Form Manipulation: The attacker alters hidden parameters within a form to gain unauthorized access to data.
- Body Data Manipulation: The attacker intercepts packets to tamper with the transmitted data and change the object ID.
- Brute-force ID: The attacker utilizes automated tools to scan IPs.
- Header/Cookie Manipulation: The attacker modifies reference values passed via HTTP Headers (e.g.,
X-User-ID) or inside Cookies to hijack a session or extract data from another object. - HTTP Method Tampering: The attacker attempts to change the request method. The system might block IDOR for
GETrequests but forget to block it forPOSTrequests. - Parameter/Array Injection: Bypassing authentication filters by passing multiple parameters with the same name or changing the data type to an array to deceive the application’s verification logic.
- What types of functionality or data in a website can be affected as a result of an IDOR vulnerability being exploited?
- Affected functionalities:
- Account management.
- Data modification.
- Data/account deletion.
- Authorization management.
- Affected data:
- Personally Identifiable Information (PII).
- Financial and transactional data.
- Private and confidential data.
Insecure Direct Object References#
- Access the lab’s homepage:
https://[LAB-ID].web-security-academy.net/. To solve the lab, we need to find the password for thecarlosaccount and then log in to the account.

- Try using the
Live chatfeature and observe the request packets in Burp Suite.

- Try clicking on the
View transcriptfeature and observe the website’s behavior in Burp Suite.

- By observing the packets, we can notice that after clicking the
View transcriptbutton, the website triggers a302redirect to/download-transcript/2.txt.

- A
GETrequest to/download-transcript/2.txtwill return a response containing the current chat content. We can observe that after each timeView transcriptis clicked, the website returns a txt file with a sequentially increasing name (2, 3, 4,…). Therefore, what we need to retrieve is the1.txtfile, as it is highly likely that Carlos’s password is in there.

- Try accessing the
/download-transcript/1.txtpath to see what happens.

- By reading the chat content, we can easily retrieve the password
468mvitb1ekls7prnu0c. That could be Carlos’s password. We will use the credentialscarlos:468mvitb1ekls7prnu0cto log in.
