E-Arogya

8- Insecure Direct Object Reference (IDOR)

CWE : CWE-639
Description :
An indirect object reference is likely to occur when a developer exposes a reference to an
internal implementation object, such as a file, directory, or database key without any
validation mechanism which allows attackers to manipulate these references to access
unauthorized data.
Affected Path(s) :
https://his-healthid-service.satragroup.in/abdm/search/searchByHealthId *-Applicable
to entire application
Impact :
Such flaws can compromise all the data that can be referenced by the parameter. Unless
object references are unpredictable, it’s easy for an attacker to access all available data
of that type.
Recommendation :
Use per user or session indirect object references. This prevents attackers from
directly targeting unauthorized resources.
Check access. Each use of a direct object reference from an untrusted source
must include an access control check to ensure the user is authorized for the
requested object
Evidence/Proof Of Concept :
Step 1: Login to the application with srinuks.1(abha login) credentials and natigate the
https://his-healthid-service.satragroup.in/abdm/search/searchByHealthId url and capture
the request with a certain "Health ID" as shown in below screenshot.

Step 2: Now Modify the Health ID srinuks.1 to thisiskarthik and forward the request, in the
response it can be observed that the data of a different user can be accessed.