Insecure Direct Object References have occupied the fourth spot of the Open Web Application Security Project (OWASP) Top 10 list of the most critical web application security risks since 2007; however, these flaws didn’t even make the list when it was first created in 2004.
The threat of insecure direct object reference flaws has become commonplace with the increased complexity of web applications that provide varying levels of access to enable users to gain entry to some components, but not others.
According to OWASP, a direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
These vulnerabilities result from a name or key of an object being used during the development of a web page. Potential threats can come from an authorized user of the system who alters a parameter value that directly points to an object that the user isn’t authorized to access. The user may be authorized to access the system, but not a specific object, such as a database record, specific file or even an URL. If the application doesn’t verify the user for that specific object, it can result in an insecure direct object reference flaw.
Detecting these flaws is not difficult. Each location that a user can supply input and points directly to reference objects needs to be tested. By manipulating parameter values, testers can identify the flaw and then analyze the code to determine whether a user is able to bypass authorization and retrieve objects that are not intended for them.
Although easy for developers to detect, insecure direct object references are still worthy of being on the OWASP Top 10 list. These flaws enable attackers to compromise all the data linked to the modified parameter. Once an attacker finds a way into the application, most likely they will figure a way to dig deeper and compromise any data possible. The impact on an organization can be significant depending on the type of data that is exposed during the attack.
To prevent these vulnerabilities, it is important that access control policies are in place and thoroughly enforced. Developers need to ensure that users have proper authorization to gain access to the direct references and restricted resources that they request and that the mapping is structured correctly to prevent users from accessing indirect references.