Scribd Logo
Upload

Welcome to Scribd!

  • Vimeo IDOR

    Uploaded by

    Arrch Silverberg
    30 views4 pages
    This document describes an insecure direct object reference (IDOR) vulnerability discovered by Toufik Airane on the video sharing website Vimeo.com. It provides details on the timeline of discovery and disclosure to Vimeo, as well as an overview of how IDOR vulnerabilities work. It then demonstrates a proof of concept by retrieving a user ID from Vimeo's public API and showing how an attacker could potentially reset any user's password by manipulating the direct object reference in the password reset URL.

    Original Description:

    akoskdlaksldkasldkalsdklaksdlaksdl JUST UPLOADING FOR FREE ACCSESS

    Original Title

    Vimeo.IDOR

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document describes an insecure direct object reference (IDOR) vulnerability discovered by Toufik Airane on the video sharing website Vimeo.com. It provides details on the timeline of discovery and disclosure to Vimeo, as well as an overview of how IDOR vulnerabilities work. It then demonstrates a proof of concept by retrieving a user ID from Vimeo's public API and showing how an attacker could potentially reset any user's password by manipulating the direct object reference in the password reset URL.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    30 views4 pages

    Vimeo IDOR

    Uploaded by

    Arrch Silverberg
    This document describes an insecure direct object reference (IDOR) vulnerability discovered by Toufik Airane on the video sharing website Vimeo.com. It provides details on the timeline of discovery and disclosure to Vimeo, as well as an overview of how IDOR vulnerabilities work. It then demonstrates a proof of concept by retrieving a user ID from Vimeo's public API and showing how an attacker could potentially reset any user's password by manipulating the direct object reference in the password reset URL.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Vimeo.

    com
    Insecure Direct Object References
    Reset Password
    Toufik Airane
    @tfairane
    toufik.airane@gmail.com
    www.tfairane.com
    LATEX
    January 5, 2015

    Contents
    1 Introduction
    1.1 Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    1.2 Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    1.3 Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    2
    2
    2
    2

    2 Proof Of Concept : IDOR

    3 IDOR Defense Cheat Sheet

    4 Prepare the feat


    4.1 retrieve UserID . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    3
    3

    5 Scenario / Exploit

    Introduction

    Hi, my name is Toufik Airane, student in IT security from University of Paris


    Descartes.

    1.1

    Metadata

    vulnerability : Insecure Direct Object References (IDOR)


    affect : reset password of any account with userid
    media : http://tfairane.com/archives/Vimeo.IDOR.mp4
    tools : Burp Suite

    1.2

    Timeline

    30/12/2014 : discovered date (Happy new year !)


    05/01/2015 : responsible disclosure on hackerone.com

    1.3

    Contact

    Gmail : toufik.airane@gmail.com
    Twitter : @tfairane
    website : www.tfairane.com
    Thanks to Vimeo.com staff.

    Proof Of Concept : IDOR

    Foremost, what is IDOR attack ?


    A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory,
    database record, or key, as a URL or form parameter. An attacker
    can manipulate direct object references to access other objects without authorization, unless an access control check is in place.
    https://www.owasp.org/index.php/Top 10 2007Insecure Direct Object Reference

    IDOR Defense Cheat Sheet


    Avoid exposing your private object references to users whenever possible,
    such as primary keys or filenames.
    Validate any private object references extensively with an accept known
    good approach
    Verify authorization to all referenced objects

    https://www.owasp.org/index.php/Top 10 2007Insecure Direct Object Reference

    4
    4.1

    Prepare the feat


    retrieve UserID

    Sometimes, users can customize their url path as : http://vimeo.com/kerrytrainor


    So, retrieve UserID is easy, just call Vimeo.com API.
    http://vimeo.com/api/v2/kerrytrainor/info.xml
    <u s e r s >
    <u s e r >
    <id >10272636</ id>
    <d i s p l a y n a m e >Kerry Trainor </d i s p l a y n a m e >
    <c r e a t e d o n >20120202 14:12:45 </ c r e a t e d o n >
    < i s s t a f f >1</ i s s t a f f >
    ...
    </u s e r >
    </u s e r s >
    Finally. vimeo.com/user10272636

    Scenario / Exploit

    First, an attacker signup for an account and request forgot password.

    You will receive a link :


    https://vimeo.com/forgot\ password/[user id]/[token]

    You might also like