SOC169 - Possible IDOR Attack Detected

The rule name in this LetsDefend alert suggests an IDOR attack occurred on our network. IDOR, or Insecure Direct Object Reference attacks, typically involve the use of automated tools to repeatedly manipulate a user identification parameter to gain unauthenticated access to user data on a web application.

Similar to the previous case, I began by determining the origin of the source IP. Again, it did not belong to a device within our network, so I turned to my favorite public tools, VirusTotal and AbuseIPDB, for more information. Both tools identified the IP to be vaguely malicious, but enough to warrant suspicion. The destination IP belonged to our WebServer1005, indicating the direction of traffic in this incident.

Investigating the web traffic logs revealed 5 consecutive requests of the same URL, each with a modified "user_id" parameter ranging from 1-5. All requests happened within a 3-minute time span, generated a 200 response code and had unique response sizes. This provided me with substantial evidence that an IDOR attack had occurred and was successful.

Email records showed no communication regarding a planned test involving the attacker IP, and there was no unusual browser, command, network or process history found on the victim machine, which I didn't find abnormal due to the nature of the attack. I nonetheless quarantined the device from the network, submitted my findings, closed the alert and escalated the alert to Tier 2.