IDOR vs Privilege escalation

[Mukesh Sharma]

Hi Guys,

Could you please help me to understand the difference between Insecure Direct Object Reference and Privilege Escalation.

Thanks

[TAS]

"Privilege escalation" is an attack technique and "Insecure Direct Object Reference" is a vulnerability. You can do privilege escalations attacks when you have IDOR issues.

Cheers!

TAS  

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
______________________________________________________________________________
se7enth edition of nullcon Goa (Mar 9-12, 2016)
http://nullcon.net
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

--

-

TAS

https://twitter.com/nullDubai

https://twitter.com/p0wnsauc3

[Mukesh Sharma]

Thanks for reply, in OWASP testing guide both are shown different attack technique under Authorization testing.

[Ajay Pratap Singh]

one example:

Lets take a scenario, there is one document on the server which can only be accessed by authorized (once you provide your credentials, the server will look, what document you have access to0) user with document ID = 123, which is being request through the URL ( for example: www.abc.com/php.aspx?documentID=123). so if you can request this URL successfully then it will become IDOR. Now this document belongs to different user so it may become privilege escalation as the document belongs  to the different user, based on the privilege level the privilege escalation could be horizontal or vertical. generally IDOR leads to privilege escalation.

as far as i have been owasp also consider IDOR as a part of privilege excalation. hope this will help you.