Product
Features API Security Testing GraphQL Security Testing DevSecOps Compliance Cosmog: Private Tunnel WordPress Security Testing OWASP Security Testing Free Security Testing
Solutions
Pricing
Free tools
Website Security Assessment SSL Certificate Checker Domain Expiry Checker
Resources
Blog Developer Docs Help Center Guides Whitepapers Vulnerability Index Partners
Product tour
Blog Home
owasp
24 Jun 2018

Insecure Direct Object References

24 Jun 2018

A direct object reference happens when a developer exposes a reference to an implementation internally such as a directory or file without any access control check or some other kind of protection. An attackers can manipulate those references to access unauthorized data and file.

Example

I can access to my account page simply by providing my Account number in the URL:

        http://www.example.com/details?acc_no=ZX2711111222333444555666777

An attacker could have access to any other account by simply providing a valid Account number!

Impact

Insecure Direct Object References can compromise all the data that can be referenced by the specific parameter. Unless object references are unpredictable so it is easy for an attacker to access all the available data of that type.

Mitigation / Precaution

  • Use session indirect object references or per user this can prevent attackers from directly targeting the unauthorized resources.

  • Check access so that each use of a direct object reference from an untrusted source must be included with an access control check to ensure the user is authorized for that specifc requested object.

PRODUCT TOUR






Latest Articles

IMAP/SMTP injection
September 12 2023
7 limitations of vulnerability scanners
September 10 2023
Clickjacking attack
September 10 2023
Session Fixation Attack
July 30 2023
Vulnerability management using AI
June 29 2023

Explore morearrow



Popular in Injection

WordPress Authenticated SQL Injection
June 29 2022
SQL injection(SQLi)
May 4 2022
Union Query SQL Injection (SQLi)
July 4 2018
Stacked Queries SQL Injection (SQLi)
July 4 2018
Inline Queries SQL Injection (SQLi)
July 4 2018

Explore morearrow

Categories

Client Side URL Redirect Cookies Attributes IBM SQL Injection Injection Time Based Blind SQL Injection SSL CRLF Content Security Policy CSRF HSTS CORS Information Leakage status code SRI metadata X-XSS-Protection owasp XSS Clickjacking Cookies Directory traversal DOM XSS Blind SQL Injection XML Injection blog TLS WordPress web security SMB Cyber attacks AI Web server Data Security DOMECTF2020 Container security CMS Security Code Execution Htaccess Bypass DOMECTF2021 Press Webinar RFI DevSecOps DOMECTF2022 openssl HTTP headers Compliance AppSec
Related Articles
OWASP top ten 2017
owasp
OWASP top ten 2017
04 Jul 2022
Missing Function Level Access Control OWASP 2013
owasp
Missing Function Level Access Control OWASP 2013
24 Jun 2022
Sensitive Data Exposure OWASP 2013
owasp
Sensitive Data Exposure OWASP 2013
24 Mar 2022
OWASP Top 10 2021
owasp
OWASP Top 10 2021
29 Dec 2021
OWASP top ten 2013
owasp
OWASP top ten 2013
04 Jul 2018
Using Components with Known Vulnerabilities
owasp
Using Components with Known Vulnerabilities
24 Jun 2018
Unvalidated Redirects and Forwards
owasp
Unvalidated Redirects and Forwards
24 Jun 2018
Sensitive Data Exposure
owasp
Sensitive Data Exposure
24 Jun 2018
Insufficient Logging And Monitoring
owasp
Insufficient Logging And Monitoring
24 Jun 2018
Insecure Deserialization
owasp
Insecure Deserialization
24 Jun 2018
Broken Authentication
owasp
Broken Authentication
24 Jun 2018
Broken Access Control
owasp
Broken Access Control
24 Jun 2018