μ¬μ©μ IDλ‘ μ§μ κ°μ²΄ μ°Έμ‘° μ κΆν κ²μ¦ μμ΄ νμΈ μ 보 μ‘°ν/μμ κ°λ₯
π₯ μ¬μ©μ λͺ©λ‘ (μ ννμ¬ μ‘°ν)
π‘ IDOR 곡격:
β’ URL μ§μ μμ : ?user_id=3 β λ€λ₯Έ μ¬μ©μ μ 보 μ‘°ν
β’ μμ°¨μ μΌλ‘ ID μ¦κ°: 1, 2, 3, ... β λͺ¨λ μ¬μ©μ μ 보 μμ§ (μ 보 μμ§)
β’ API νΈμΆ μλν: for i in range(1,100): fetch('/api/user/'+i)
β
λ°©μ΄ λ°©λ²
1. κΆν κ²μ¦ μΆκ°:
$requested_id = $_POST['user_id'];
$current_user_id = $_SESSION['user_id'];
// μμ μ μ λ³΄λ§ μ‘°ν κ°λ₯
if ($requested_id !== $current_user_id) {
die('Unauthorized');
}
// λλ κ΄λ¦¬μ κΆν νμΈ
if ($current_user['role'] !== 'admin') {
die('Admin only');
}
2. κ°μ μ°Έμ‘° (Indirect Reference) μ¬μ©:
// μ§μ ID λμ UUID λλ ν΄μ μ¬μ©
$user_hash = md5($user_id . $secret);
$stmt = $db->prepare("SELECT * FROM users WHERE hash = ? AND id = ?");
$stmt->execute([$user_hash, $requested_id]);
3. μ κ·Ό μ μ΄ λͺ©λ‘ (ACL):
// κΆν ν
μ΄λΈλ‘ νμΈ
$stmt = $db->prepare("SELECT 1 FROM acl WHERE user_id = ? AND can_access_user = ?");
$stmt->execute([$current_user_id, $requested_id]);
4. λ‘κΉ
λ° λͺ¨λν°λ§:
// κΆν μλ μ κ·Ό μλ κΈ°λ‘
log_security_event([
'type' => 'UNAUTHORIZED_ACCESS',
'user_id' => $current_user_id,
'target_id' => $requested_id,
'timestamp' => time()
]);