Vulnerability Assessment Report
Title: Insecure Direct Object Reference (IDOR) in Contributor Data API
Date: April 3, 2025
Assessed By: [Redacted Analyst Name]
1. Overview
An insecure direct object reference (IDOR) vulnerability has been identified in the Contributor API endpoint of the [Anonymized Government System]. The endpoint allows authenticated users to change the PSSID parameter and retrieve data belonging to other users without any server-side authorization checks. This exposes sensitive personal information and violates basic data protection principles.
2. Technical Details
- Vulnerable Endpoint:
POST https://[redacted-domain].gov.np/Handlers/Registration/Handler.ashx - Parameters Sent:
httpCopyEditPOST data:
method=GetCleanContributor
PSSID=20800573152
- Authentication Used:
- Cookie-based session (e.g.,
ASP.NET_SessionId,BIGipServer...,TSPD_101) - Bearer-style
Tokenheader (JWT encoded)
- Cookie-based session (e.g.,
- Issue Identified:
- The
PSSIDis passed from the client and directly consumed by the backend. - No validation is done to check if the current session token or user is authorized to access this
PSSID. - By changing the
PSSIDto another value, users can access data of other contributors.
- The
3. Proof of Concept (PoC)
A request was made as a signed-in user using the following payload:
pythonCopyEditdata = {
'method': 'GetCleanContributor',
'PSSID': '20800573152' # ID of another user
}
Expected Behavior:
Return error or “unauthorized” if the PSSID does not belong to the current user.
Observed Behavior:
Returned contributor details successfully — including personal data not associated with the authenticated session.
4. Impact
- Confidentiality Breach: Users can view sensitive personal data of others.
- Privacy Violation: Breach of user confidentiality regulations (e.g., GDPR, local privacy laws).
- Data Enumeration Risk: Automated scripts can loop through
PSSIDvalues to extract large volumes of data. - Reputational Risk: Undermines public trust in the platform’s data integrity.
- Regulatory Risk: Possible penalties for failing to ensure secure access control to personal data.
5. Risk Rating (CVSS v3.1)
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | None |
| Availability Impact | None |
| CVSS Base Score | 7.5 (High) |
6. Recommendations
a. Authorization Controls
- Implement strict backend authorization to ensure the requested
PSSIDbelongs to the currently authenticated user. - Validate access permissions server-side instead of relying on client-passed identifiers.
b. Session-Based Identification
- Avoid passing object IDs like
PSSIDfrom the client. - Derive the user ID (or allowed object access scope) from the server session/token context.
c. Access Logging
- Log all access to sensitive contributor data.
- Trigger alerts or throttle requests if unusual access patterns (e.g., rapid
PSSIDchanges) are detected.
d. Rate Limiting & CAPTCHA
- Implement rate limiting on the endpoint to prevent abuse via automated scripts.
- Optionally, implement CAPTCHA if needed for public endpoints.
e. API Hardening
- Return a generic error (e.g.,
403 Forbidden) if a user attempts to access an unauthorizedPSSID.
7. Conclusion
The presence of an IDOR vulnerability in the contributor data retrieval API presents a serious security and privacy concern. Immediate remediation is strongly recommended to safeguard user data and ensure compliance with national and international data protection regulations.
Appendix: References
- OWASP Top 10: Broken Access Control
- CWE-639: Authorization Bypass Through User-Controlled Key
- CVSS Calculator