What is Insecure Direct Object Reference (IDOR)?
Insecure direct object references (IDOR) are access control vulnerabilities that arise when an application uses user-supplied input to access objects directly. IDOR was popularized by its appearance in the OWASP 2007 Top Ten. However, it is just one example of many access control implementation mistakes that can lead to access controls being circumvented. IDOR vulnerabilities are most commonly associated with horizontal privilege escalation but can also arise in relation to vertical privilege escalation. (PortSwigger)
Insecure Direct Object References on Grafana v8.3.3
In Grafana 8.3.3, a Viewer role user can see another team's details via Insecure Direct Object Reference, as demonstrated by the /API/teams/1 URI
Proof of Concept:
1. Login to Grafana UI as Admin.
2. Create multiple teams.
3. Create a user with a "viewer" role.
4. Login with the new user you created with the "viewer" role in the previous step.
5. Refresh the Grafana UI and capture the request via Burp Suite.
6. Send a request to Repeater.
7. Change the request path to "/API/teams/"team id."
8. Check the response for team details.
This vulnerability is not working on UI requests because UI does not allow you to make requests with "editor" role users.
If you curl the URL via API request, you will get the result as it is shown below: