Welcome
#
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation involving an insecure direct object reference (IDOR).
Alert Details
#
| Key: |
Value |
| EventID: |
119 |
| Event Time: |
Feb, 28, 2022, 10:48 PM |
| Rule: |
SOC169 - Possible IDOR Attack Detected |
| Level: |
Security Analyst |
| Hostname: |
WebServer1005 |
| Destination IP Address: |
172.16.17.15 |
| Source IP Address: |
134.209.118.137 |
| HTTP Request Method: |
POST |
| Requested URL: |
https://172.16.17.15/get_user_info/ |
| User-Agent: |
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) |
| Alert Trigger Reason: |
consecutive requests to the same page |
| Device Action: |
Allowed |
Initial Triage
#
Actions
#
- Copied alert details to notes
- Created case
- Began analysis
Thoughts
#
“Hmm, gotta check the SIEM logs first. I want to see the details of the HTTP requests.”
Analysis
#
Log Analysis
#
(Simplifying for writeup brevity)
| Key: |
Value |
| type: |
Firewall |
| source_address: |
134.209.118.137 |
| destination_address: |
172.16.17.15 |
| destination_port: |
443 |
| Request URL: |
https://172.16.17.15/get_user_info/ |
| Request Method: |
POST |
| Device Action: |
Permitted |
| Key: |
Value |
| HTTP Response Size: |
188 |
| HTTP Response Status: |
200 |
| POST Parameters: |
?user_id=1 |
| Key: |
Value |
| HTTP Response Size: |
253 |
| HTTP Response Status: |
200 |
| POST Parameters: |
?user_id=2 |
| Key: |
Value |
| HTTP Response Size: |
351 |
| HTTP Response Status: |
200 |
| POST Parameters: |
?user_id=3 |
| Key: |
Value |
| HTTP Response Size: |
158 |
| HTTP Response Status: |
200 |
| POST Parameters: |
?user_id=4 |
| Key: |
Value |
| HTTP Response Size: |
267 |
| HTTP Response Status: |
200 |
| POST Parameters: |
?user_id=5 |
Thoughts
#
“Yeah, that’s 100% IDOR. The responses aren’t being blocked. The response sizes vary on different inputs, which gives reason to believe it is successful.”
Email
#
Thoughts
#
“No emails indicating this is a penetration test.”
Determination
#
Verdict
#
- True Positive
- Escalate Case
Reasoning
#
- Attacker incrementing value by 1 each connection, sweeping “user_id” parameter for responses.
- Varying response sizes with a 200 status indicates they are getting valid information back, which means the server is vulnerable.
- Flaw in the endpoint will need to be fixed.
Playbook
#
Questions
#
| Questions |
Answers |
| Is Traffic Malicious? |
Malicious |
| What Is The Attack Type? |
IDOR |
| Check If It Is a Planned Test |
Not Planned |
| What Is the Direction of Traffic? |
Internet → Company Network |
| Was the Attack Successful? |
Yes |
| Do You Need Tier 2 Escalation? |
Yes |
Artifacts
#
Value |
Comment |
Type |
134.209.118.137 |
Attacker IP |
IP Address |
https://172.16.17.15/get_user_info/ |
Vulnerable URL |
E-mail Domain |
Notes
#
Verdict: True Positive. Escalating.
Summary: Attacker abusing IDOR on 172.16.17.15 /get_user_info/ POST parameter user_id.
Validated via: SIEM Logs
Actions taken: None.
Finishing Thoughts
#
“Wish there was more I could do. IDOR doesn’t cause code execution, so that isn’t a worry at least. I don’t have permission to do more at the moment.”
