Most security researchers often focus on flaws such as sql injection, cross-site scripting, cross-site request forgery, weak encryption and so on. The above mentioned flaws are quite easy to exploit. However, there is one particular flaw which could help security researchers to chain one flaw to another flaw.
This article basically shows security researchers how to use google dorks to find IDOR endpoints on mobile and web applications.
A google dork is a query or search string that uses advanced search operators to find information that is not readily available on a mobile or web application. The mechanism of google dork is quite similar to how regular expression works. Both relies on custom search operation to get the work done. *Please Google Dorks is not Regex*
Mind you google dorks is not suitable for pentesters or security researchers only. Terrorist could use this same search query operators to find subtle information on the internet. Thus, Google Dorks has pros and cons.
Below is an example of a google dork query to search for banking sites located in Ghana . The following search query simply looks for banks in Ghana ending with “.com.gh”.
site:.com.gh inurl:”bank”
Now let’s see how google dorks could help security researchers search for IDOR endpoints on web or mobile applications.
IDOR simply means Insecure Object Reference. A web or mobile application vulnerable to IDOR attacks could allow an attacker to access other users accounts through his own account, reset passwords of other users, delete other user accounts and so on by manipulating or supplying a userid or gid.
If you have considerable knowledge in object-oriented programming, you should have a clear idea of IDOR attacks.
www.test.com/getuser?id=123456
Endpoints such as password_settings, reset_password, account_settings, login and could be vulnerable to IDOR. Now let’s briefly find out how we can use google dorks to find a one or two IDOR endpoints .
site:.com.gh inurl:”login”
The above search query will display login endpoints of several web and mobile portals. If you really want to make it specific, you can include another search operator such as “intext” . The following google dorks simply tells google to search for banks in Ghana with login endpoints.
site:.com.gh inurl:”login” intext:”Bank”
This search query also shows web and mobile portals with password settings endpoint.
site:.com.gh inurl:”password”
Google immediately displays login endpoints of several banks in Ghana. The next is to find a proxy of your choice. I recommend Burp Suite for web and mobile or Charles Proxy for mobile. Finally, intercept and manipulate userids of outgoing requests.
The above examples reveals why google dorking is not just another information gathering tool but it could also be used to find specific endpoint to implement IDOR attacks.
#ISA_informs
#ISA_ltd
Sign up our newsletter for update information, insight and promotion.