Insecure Direct Object References

A direct object reference happens when a developer exposes a reference to an implementation internally such as a directory or file without any access control check or some other kind of protection. An attackers can manipulate those references to access unauthorized data and file.

Example

I can access to my account page simply by providing my Account number in the URL:

        http://www.example.com/details?acc_no=ZX2711111222333444555666777

    

An attacker could have access to any other account by simply providing a valid Account number!

Impact

Insecure Direct Object References can compromise all the data that can be referenced by the specific parameter. Unless object references are unpredictable so it is easy for an attacker to access all the available data of that type.

Mitigation / Precaution

  • Use session indirect object references or per user this can prevent attackers from directly targeting the unauthorized resources.

  • Check access so that each use of a direct object reference from an untrusted source must be included with an access control check to ensure the user is authorized for that specifc requested object.

Related Articles