feat: Add IDOR Vilnerability

Author: antriksh-9

src/main/java/org/sasanlabs/service/vulnerability/idor/IDORVulnerability.java

@@ -0,0 +1,84 @@
+package org.sasanlabs.service.vulnerability.idor;
+
+import java.util.HashMap;
+import java.util.Map;
+import org.sasanlabs.internal.utility.LevelConstants;
+import org.sasanlabs.internal.utility.Variant;
+import org.sasanlabs.internal.utility.annotations.AttackVector;
+import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping;
+import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController;
+import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean;
+import org.sasanlabs.vulnerability.types.VulnerabilityType;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.RequestParam;
+
+@VulnerableAppRestController(descriptionLabel = "IDOR_VULNERABILITY", value = "IDORVulnerability")
+public class IDORVulnerability {
+
+    private static final String USER_ID = "userId";
+
+    private static final Map<String, String> userData = new HashMap<>();
+
+    static {
+        userData.put("101", "User 101 - Account Balance: ₹5000");
+        userData.put("102", "User 102 - Account Balance: ₹15000");
+        userData.put("103", "User 103 - Account Balance: ₹25000");
+    }
+
+    private ResponseEntity<GenericVulnerabilityResponseBean<String>> getResponse(String userId) {
+        String data = userData.getOrDefault(userId, "User not found");
+        return new ResponseEntity<>(
+                new GenericVulnerabilityResponseBean<>(data, true), HttpStatus.OK);
+    }
+
+    // LEVEL 1 - Direct access without any check
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.INSECURE_DIRECT_OBJECT_REFERENCE,
+            description = "IDOR_LEVEL_1_NO_AUTH_CHECK",
+            payload = "Try changing userId parameter to access other users")
+    @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_1, htmlTemplate = "LEVEL_1/IDOR")
+    public ResponseEntity<GenericVulnerabilityResponseBean<String>> idorLevel1(
+            @RequestParam(USER_ID) String userId) {
+
+        // No authentication or authorization
+        return getResponse(userId);
+    }
+
+    // LEVEL 2 - Fake logged in user but no ownership validation
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.INSECURE_DIRECT_OBJECT_REFERENCE,
+            description = "IDOR_LEVEL_2_FAKE_LOGIN_NO_AUTHZ",
+            payload = "Logged in user is 101 but try accessing 102")
+    @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_2, htmlTemplate = "LEVEL_2/IDOR")
+    public ResponseEntity<GenericVulnerabilityResponseBean<String>> idorLevel2(
+            @RequestParam(USER_ID) String userId,
+            @RequestParam("loggedInUser") String loggedInUser) {
+
+        // Still no ownership check
+        return getResponse(userId);
+    }
+
+    // LEVEL 3 - Secure version (Proper Fix)
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.INSECURE_DIRECT_OBJECT_REFERENCE,
+            description = "IDOR_LEVEL_3_SECURE",
+            payload = "Access only allowed to your own account")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_3,
+            htmlTemplate = "LEVEL_3/IDOR",
+            variant = Variant.SECURE)
+    public ResponseEntity<GenericVulnerabilityResponseBean<String>> idorLevel3(
+            @RequestParam(USER_ID) String userId,
+            @RequestParam("loggedInUser") String loggedInUser) {
+
+        if (!userId.equals(loggedInUser)) {
+            return new ResponseEntity<>(
+                    new GenericVulnerabilityResponseBean<>(
+                            "Access Denied - Unauthorized Access", false),
+                    HttpStatus.OK);
+        }
+
+        return getResponse(userId);
+    }
+}

src/main/java/org/sasanlabs/vulnerability/types/VulnerabilityType.java

@@ -44,7 +44,10 @@ public enum VulnerabilityType {
     // Cryptographic Failures
     WEAK_CRYPTOGRAPHIC_HASH(327, null),
     INSECURE_CRYPTOGRAPHIC_STORAGE(326, null),
-    USE_OF_BROKEN_CRYPTOGRAPHIC_ALGORITHM(330, null);
+    USE_OF_BROKEN_CRYPTOGRAPHIC_ALGORITHM(330, null),
+
+    // IDOR - Broken Access Control
+    INSECURE_DIRECT_OBJECT_REFERENCE(639, 13);
 
     private Integer cweID;
     private Integer wascID;

src/main/resources/i18n/messages.properties

@@ -314,4 +314,11 @@ CRYPTOGRAPHIC_FAILURES_SHA1_HASHING=Password is hashed using SHA1 algorithm whic
 CRYPTOGRAPHIC_FAILURES_PLAINTEXT_STORAGE=Password is stored and returned in plaintext without any encryption or hashing, making it immediately visible in the API response.
 CRYPTOGRAPHIC_FAILURES_BASE64_ENCODING=Password is "encrypted" using Base64 encoding which is not encryption at all. The user must decode the Base64 string to find the original password.
 CRYPTOGRAPHIC_FAILURES_SECURE_SHA256=Password is hashed using SHA-256 with salt, making rainbow table attacks ineffective. In production, use bcrypt, Argon2, or PBKDF2 for password hashing.
-CRYPTOGRAPHIC_FAILURES_SECURE_AES=Data is encrypted using AES-256 with a secret key that is never exposed. Without the key, the data cannot be decrypted.
+CRYPTOGRAPHIC_FAILURES_SECURE_AES=Data is encrypted using AES-256 with a secret key that is never exposed. Without the key, the data cannot be decrypted.
+
+### IDOR Vulnerability
+IDOR_VULNERABILITY=Insecure Direct Object Reference (IDOR)
+
+IDOR_LEVEL_1_NO_AUTH_CHECK=User can access any user's data by modifying userId parameter.
+IDOR_LEVEL_2_FAKE_LOGIN_NO_AUTHZ=Authentication present but no ownership validation is performed.
+IDOR_LEVEL_3_SECURE=Secure implementation with proper ownership validation.

src/main/resources/static/templates/IDORVulnerability/LEVEL_1/IDOR.css

@@ -0,0 +1,42 @@
+#IDORVulnerability {
+    text-align: center;
+    margin-top: 20px;
+}
+
+.info-box {
+    background-color: #f4f4f4;
+    padding: 15px;
+    margin: 20px auto;
+    width: 60%;
+    border-radius: 6px;
+    text-align: left;
+}
+
+.input-section {
+    margin: 20px;
+}
+
+.input-section input,
+.input-section select {
+    padding: 6px;
+    margin: 5px;
+}
+
+#fetchDetails {
+    background-color: darkred;
+    color: white;
+    padding: 8px 12px;
+    border: none;
+    border-radius: 4px;
+    cursor: pointer;
+}
+
+#fetchDetails:hover {
+    background-color: crimson;
+}
+
+.response-box {
+    margin-top: 20px;
+    font-size: 18px;
+    font-weight: bold;
+}

src/main/resources/static/templates/IDORVulnerability/LEVEL_1/IDOR.html

@@ -0,0 +1,27 @@
+<div id="IDORVulnerability">
+    <h2>IDOR Vulnerability Demo</h2>
+
+    <div class="info-box">
+        <p id="scenarioText">
+            You are logged in as a user. Try accessing another user's account.
+        </p>
+
+        <p><strong>Available Users:</strong></p>
+        <ul>
+            <li>101 - Alice</li>
+            <li>102 - Bob</li>
+            <li>103 - Charlie</li>
+        </ul>
+    </div>
+
+    <div class="input-section">
+        <label>User ID (Target Account):</label>
+        <input type="text" id="userId" placeholder="Enter userId (e.g., 101)" />
+
+        <button id="fetchDetails">Fetch Details</button>
+    </div>
+
+    <div id="response" class="response-box"></div>
+</div>
+
+<script src="IDOR.js"></script>

src/main/resources/static/templates/IDORVulnerability/LEVEL_1/IDOR.js

@@ -0,0 +1,24 @@
+function addingEventListenerToFetchData() {
+  document
+    .getElementById("fetchDetails")
+    .addEventListener("click", function () {
+
+      let userId = document.getElementById("userId").value;
+      let url = getUrlForVulnerabilityLevel();
+      let queryParams = "?userId=" + userId;
+
+      let loggedInUserField = document.getElementById("loggedInUser");
+
+      if (loggedInUserField) {
+          queryParams += "&loggedInUser=" + loggedInUserField.value;
+      }
+
+      doGetAjaxCall(fetchDataCallback, url + queryParams, true);
+    });
+}
+
+addingEventListenerToFetchData();
+
+function fetchDataCallback(data) {
+  document.getElementById("response").innerHTML = data.content;
+}

src/main/resources/static/templates/IDORVulnerability/LEVEL_2/IDOR.css

@@ -0,0 +1,42 @@
+#IDORVulnerability {
+    text-align: center;
+    margin-top: 20px;
+}
+
+.info-box {
+    background-color: #f4f4f4;
+    padding: 15px;
+    margin: 20px auto;
+    width: 60%;
+    border-radius: 6px;
+    text-align: left;
+}
+
+.input-section {
+    margin: 20px;
+}
+
+.input-section input,
+.input-section select {
+    padding: 6px;
+    margin: 5px;
+}
+
+#fetchDetails {
+    background-color: darkred;
+    color: white;
+    padding: 8px 12px;
+    border: none;
+    border-radius: 4px;
+    cursor: pointer;
+}
+
+#fetchDetails:hover {
+    background-color: crimson;
+}
+
+.response-box {
+    margin-top: 20px;
+    font-size: 18px;
+    font-weight: bold;
+}

src/main/resources/static/templates/IDORVulnerability/LEVEL_2/IDOR.html

@@ -0,0 +1,34 @@
+<div id="IDORVulnerability">
+    <h2>IDOR Vulnerability Demo</h2>
+
+    <div class="info-box">
+        <p id="scenarioText">
+            You are logged in as a user. Try accessing another user's account by modifying the <code>userId</code> parameter.
+        </p>
+
+        <p><strong>Available Users:</strong></p>
+        <ul>
+            <li>101 - Alice</li>
+            <li>102 - Bob</li>
+            <li>103 - Charlie</li>
+        </ul>
+    </div>
+
+    <div class="input-section">
+        <label>User ID (Target Account):</label>
+        <input type="text" id="userId" placeholder="Enter userId (e.g., 101)" />
+
+        <label>Logged In User:</label>
+        <select id="loggedInUser">
+            <option value="101">101 - Alice</option>
+            <option value="102">102 - Bob</option>
+            <option value="103">103 - Charlie</option>
+        </select>
+
+        <button id="fetchDetails">Fetch Details</button>
+    </div>
+
+    <div id="response" class="response-box"></div>
+</div>
+
+<script src="IDOR.js"></script>

src/main/resources/static/templates/IDORVulnerability/LEVEL_2/IDOR.js

@@ -0,0 +1,24 @@
+function addingEventListenerToFetchData() {
+  document
+    .getElementById("fetchDetails")
+    .addEventListener("click", function () {
+
+      let userId = document.getElementById("userId").value;
+      let url = getUrlForVulnerabilityLevel();
+      let queryParams = "?userId=" + userId;
+
+      let loggedInUserField = document.getElementById("loggedInUser");
+
+      if (loggedInUserField) {
+          queryParams += "&loggedInUser=" + loggedInUserField.value;
+      }
+
+      doGetAjaxCall(fetchDataCallback, url + queryParams, true);
+    });
+}
+
+addingEventListenerToFetchData();
+
+function fetchDataCallback(data) {
+  document.getElementById("response").innerHTML = data.content;
+}

src/main/resources/static/templates/IDORVulnerability/LEVEL_3/IDOR.css

@@ -0,0 +1,42 @@
+#IDORVulnerability {
+    text-align: center;
+    margin-top: 20px;
+}
+
+.info-box {
+    background-color: #f4f4f4;
+    padding: 15px;
+    margin: 20px auto;
+    width: 60%;
+    border-radius: 6px;
+    text-align: left;
+}
+
+.input-section {
+    margin: 20px;
+}
+
+.input-section input,
+.input-section select {
+    padding: 6px;
+    margin: 5px;
+}
+
+#fetchDetails {
+    background-color: darkred;
+    color: white;
+    padding: 8px 12px;
+    border: none;
+    border-radius: 4px;
+    cursor: pointer;
+}
+
+#fetchDetails:hover {
+    background-color: crimson;
+}
+
+.response-box {
+    margin-top: 20px;
+    font-size: 18px;
+    font-weight: bold;
+}