feat: Add IDOR Vulnerability (#504)

* feat: Add IDOR Vulnerability

* WIP: preparing refactor

* refactor: IDOR RBAC implementation

Author: antriksh-9

src/main/java/org/sasanlabs/configuration/VulnerableAppConfiguration.java

@@ -131,6 +131,8 @@ public DataSourceInitializer adminDataSourceInitializer(
         populator.addScript(new ClassPathResource("scripts/xss/PersistentXSS/db/schema.sql"));
         populator.addScript(new ClassPathResource("scripts/XXEVulnerability/schema.sql"));
         populator.addScript(new ClassPathResource("scripts/SQLInjection/db/data.sql"));
+        populator.addScript(new ClassPathResource("scripts/IDOR/db/schema.sql"));
+        populator.addScript(new ClassPathResource("scripts/IDOR/db/data.sql"));
         populator.setSeparator(";");
 
         DataSourceInitializer initializer = new DataSourceInitializer();

src/main/java/org/sasanlabs/service/vulnerability/idor/IDORVulnerability.java

@@ -44,7 +44,10 @@ public enum VulnerabilityType {
     // Cryptographic Failures
     WEAK_CRYPTOGRAPHIC_HASH(327, null),
     INSECURE_CRYPTOGRAPHIC_STORAGE(326, null),
-    USE_OF_BROKEN_CRYPTOGRAPHIC_ALGORITHM(330, null);
+    USE_OF_BROKEN_CRYPTOGRAPHIC_ALGORITHM(330, null),
+
+    // IDOR - Broken Access Control
+    INSECURE_DIRECT_OBJECT_REFERENCE(639, 13);
 
     private Integer cweID;
     private Integer wascID;

src/main/java/org/sasanlabs/vulnerability/types/VulnerabilityType.java

@@ -0,0 +1,5 @@
+IDOR_PAYLOAD_LEVEL_1=Login as one user and modify the 'id' request parameter to access another user's data.
+IDOR_PAYLOAD_LEVEL_2=Inspect and modify the value of 'userId' cookie in the browser developer tools and then click on 'Fetch Profile' button to access another user's profile information. For example, if you are logged in as Alice and value of 'userId' cookie is 1, change it to 2 to access Bob's profile information.
+IDOR_PAYLOAD_LEVEL_3=Decode the Base64 token, modify userId or role, re-encode it.
+IDOR_PAYLOAD_LEVEL_4=Decode the token, change role to ADMIN, re-encode and access other user's profile
+IDOR_PAYLOAD_LEVEL_5=Even if you decode the token and change role to ADMIN, you should not be able to access other user's profile due to proper RBAC implementation.

src/main/resources/attackvectors/IDORVulnerabilityPayload.properties

@@ -314,4 +314,12 @@ CRYPTOGRAPHIC_FAILURES_SHA1_HASHING=Password is hashed using SHA1 algorithm whic
 CRYPTOGRAPHIC_FAILURES_PLAINTEXT_STORAGE=Password is stored and returned in plaintext without any encryption or hashing, making it immediately visible in the API response.
 CRYPTOGRAPHIC_FAILURES_BASE64_ENCODING=Password is "encrypted" using Base64 encoding which is not encryption at all. The user must decode the Base64 string to find the original password.
 CRYPTOGRAPHIC_FAILURES_SECURE_SHA256=Password is hashed using SHA-256 with salt, making rainbow table attacks ineffective. In production, use bcrypt, Argon2, or PBKDF2 for password hashing.
-CRYPTOGRAPHIC_FAILURES_SECURE_AES=Data is encrypted using AES-256 with a secret key that is never exposed. Without the key, the data cannot be decrypted.
+CRYPTOGRAPHIC_FAILURES_SECURE_AES=Data is encrypted using AES-256 with a secret key that is never exposed. Without the key, the data cannot be decrypted.
+
+### IDOR Vulnerability
+IDOR_VULNERABILITY=Insecure Direct Object Reference (IDOR)
+IDOR_LEVEL_1_NO_AUTHORIZATION=Login and try accessing another user's id
+IDOR_LEVEL_2_COOKIE_TAMPERING=The application stores authentication state in a client-side cookie. Since cookies can be modified by users, this allows impersonation of other users.
+IDOR_LEVEL_3_JWT_TAMPERING=The application uses a JWT-like token stored on the client side. The token is not signed or validated. Try modifying the token payload.
+IDOR_LEVEL_4_BROKEN_RBAC=The application uses role-based access control (RBAC) but has a broken implementation. Try changing the role in the token or cookie to ADMIN and access other user's profile.
+IDOR_LEVEL_5_SECURE_RBAC=The application uses role-based access control (RBAC) and properly enforces it. Even if you try to change the role in the token or cookie, you should not be able to access other user's profile. This is the secure implementation.

src/main/resources/i18n/messages.properties

@@ -0,0 +1,3 @@
+INSERT INTO idor_users VALUES (1, 'Alice', 'password', 50000, 'USER');
+INSERT INTO idor_users VALUES (2, 'Bob', 'password', 60000, 'USER');
+INSERT INTO idor_users VALUES (3, 'Charlie', 'password', 70000, 'ADMIN');

src/main/resources/scripts/IDOR/db/data.sql

@@ -0,0 +1,11 @@
+DROP TABLE IF EXISTS idor_users;
+
+CREATE TABLE idor_users (
+    id INT PRIMARY KEY,
+    username VARCHAR(50),
+    password VARCHAR(50),
+    salary INT, 
+    role VARCHAR(20)
+);
+
+GRANT SELECT ON idor_users TO application;

src/main/resources/scripts/IDOR/db/schema.sql

@@ -0,0 +1,33 @@
+#idor_level_1 {
+    text-align: center;
+}
+
+#loginSection,
+#profileSection {
+    font-size: 15px;
+    margin-top: 2px;
+}
+
+#loggedInDisplay {
+    margin-top: 10px;
+    font-size: 14px;
+    font-weight: bold;
+}
+
+#loginBtn,
+#fetchBtn {
+    background: blueviolet;
+    display: inline-block;
+    padding: 8px 8px;
+    margin: 10px;
+    border: 2px solid transparent;
+    border-radius: 3px;
+    transition: 0.2s opacity;
+    color: #FFF;
+    font-size: 12px;
+}
+
+#response {
+    margin-top: 10px;
+    font-size: 16px;
+}

src/main/resources/static/templates/IDORVulnerability/LEVEL_1/IDOR.css

@@ -0,0 +1,32 @@
+<div id="idor_level_1">
+
+    <h3>IDOR Vulnerability - Level 1</h3>
+
+    <h5>Login</h5>
+    <div id="loginSection">
+        <select id="username">
+            <option value="Alice">Alice</option>
+            <option value="Bob">Bob</option>
+            <option value="Charlie">Charlie</option>
+        </select>
+        <input type="password" id="password" value="password" />
+        <button id="loginBtn">Login</button>
+    </div>
+
+    <div id="loggedInDisplay"></div>
+
+    <h5>Fetch Profile</h5>
+    <div id="profileSection">
+        <select id="profileId">
+            <option value="1">1 - Alice</option>
+            <option value="2">2 - Bob</option>
+            <option value="3">3 - Charlie</option>
+        </select>
+        <button id="fetchBtn">Fetch Profile</button>
+    </div>
+
+    <div id="response"></div>
+
+</div>
+
+<script src="IDOR.js"></script>

src/main/resources/static/templates/IDORVulnerability/LEVEL_1/IDOR.html

@@ -0,0 +1,33 @@
+function showResponse(data) {
+  document.getElementById("response").innerHTML = data.content;
+}
+
+// LOGIN
+document.getElementById("loginBtn").addEventListener("click", function () {
+  let username = document.getElementById("username").value;
+  let password = document.getElementById("password").value;
+
+  let url = getUrlForVulnerabilityLevel();
+  let queryParams = "?username=" + username + "&password=" + password;
+
+  doGetAjaxCall(
+    function (data) {
+      if (data.isValid) {
+        document.getElementById("loggedInDisplay").innerHTML = data.content;
+      } else {
+        document.getElementById("loggedInDisplay").innerHTML = data.content;
+      }
+    },
+    url + queryParams,
+    true
+  );
+});
+
+// FETCH PROFILE
+document.getElementById("fetchBtn").addEventListener("click", function () {
+  let id = document.getElementById("profileId").value;
+
+  let url = getUrlForVulnerabilityLevel() + "?id=" + id;
+
+  doGetAjaxCall(showResponse, url, true);
+});