Get Quote

Serving Industries Worldwide

Innovative Ways - Satisfied Clientele

Secure web application from ‘Insecure direct object references’

iFour Team - 5 Sep 2017

‘Insecure direct object references’ is ranked 4th on the list OWASP top 10 vulnerabilities 2013. Now days, it has become a serious concern for software development companies to maintain the privacy of all the users. This vulnerability breaches the authorization gates and allow an attacker to thieve unauthorized data from web application. Let’s have

detailed understanding of this vulnerability

.

What is insecure direct object references?

According to OWASP definition insecure direct object references occur when web application gives direct access to those objects which are based on user-supplied input. As a result, an attacker can bypass the authorization gates and gain the access of resources of the system directly, like database files and records.

This vulnerability allows the attacker to bypass authorization steps of an application and have the access of all the resources directly by modifying the values of parameter which is used to point an object. These kinds of resources can be files of system, entries belonging to other users, etc. This happens because the application takes user supplied input and retrieve an object without checking sufficient authorization.

How can you know you are vulnerable?

Here are some easy ways to find out if your web application is vulnerable or not.

  • Does the application verify the exact user and the resources he is given access to? (For all direct references to restricted resources)
  • Suppose the reference is an indirect reference, you need to verify if the mapping to the direct references fail to restrict the values for authorized current user.

Code review of any application by custom web application companies can identify whether we can apply either approach safely or not. In most of the cases manual testing is proved to be effective to identify direct object references and check whether they are safe or not. Automated tools generally cannot look for such flaws as they cannot distinguish protection what is safe and what is not.

Let’s have a demo website where an object id is 3 which can be seen like this.

Here is the object (A user profile)
Vulnerable CMS Example

Insecure Direct Object Reference Example

Now if we just change id from id=3 to id=1 in URL, we can see that we are directly given access to that object on id=1.
Vulnerable CMS Demo

Insecure Direct Object References  

Severity: Medium

Prevention

To prevent this vulnerability from your web application,

web application software companies

suggests to create a map with in your code that maps objects. These objects could be referenced internally to aliased terms which are exposed to the user. For example, an array of primary keys to a particular table might be mapped with random sequence of integers. When the value is submitted by user, the number is matched to a real value. This prevents disclosure of the actual value and also limits what a user can alter.

For example,

default             --> index.html

account_summary     --> account_summary.html

user_profile         --> user_profile.html

Values supplied by the user should be vetted through an access control function to verify that he is authorized for that data.

Bibliography

OWASP. (2014, August 8). Testing for Insecure Direct Object References. Retrieved from OWASP: https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)

Tags

.net .Net 5 .Net Applications .NET Core .Net Core 3.0 .Net Core Developer .Net Core Libraries .NET Core vs .NET framework .Net Development .Net Development Tools .Net Localization .Net Trends 3D Mobile Application Development Advanced SEO Techniques AGILE Amazon API Android Angular Angular 7 Angular 7 features Angular 7 improvements Angular 7 updates Angular 9 Angular 9 Cons Angular 9 Features Angular 9 Pros Angular CLI Angular Development Angular Framework Angular Js Angular vs AngularJS AngularJS App Store Optimization Application Development ASO asp.net ASP.Net App Development ASP.Net CMS ASP.Net CMS for Web Development ASP.Net Core ASP.Net Core 3.0 ASP.Net Core Development ASP.Net Core Software Companies ASP.Net Development ASP.Net vs ASP.Net Core Augmented Reality aureliaJS Authentication in Ionic 4 AWS Azure AD backboneJS Best CRM Tools Best Platform for eCommerce Development big data Big Data Analytics bitcoin Blazor Blockchain Blockchain Adoption Blockchain Archietecture Blockchain Component Blockchain Component and Consensus Mechanism Blockchain Component and Markel Tree Blockchain Consensus Algorithm Blockchain Consulting Blockchain Consulting Companies India Blockchain Development Blockchain Development Company Blockchain Development Cycle and Development Cycle Blockchain Distributed System and Distributed System Blockchain Healthcare Industry Blockchain Platforms blockchain software companies Blockchain Technology Blockchain technology and Blockchain software companies Blockchain Uses Boilerplate Boilerplate Entity Framework Build Angular Applications c# C# Development categories Challenges in Magento Migration Challenges with Cloud Migration Chart FX Charting tools Cheque payments Cloud Migration CMS Common Cloud Migration Challenges Content Management System Contract in Solidity Copyright Registrat Copyright Registration Copyright Registration for Games Copyright Registration for IT Products Copyright Registration for Software COVID-19 Pandemic crm Cross Platform Web Apps Cross-Site Scripting Cryptocurrency custom software companies custom software development Custom software development in India Data Security DBA Debugging Tools of C# Design Patterns in C# DevExpress DevOps Tools digital currency Digital India Digital locker Digital Payment Docker DotNetNuke E-Governance eCommerce eCommerce Development eCommerce Platform ecommerce solution ecommerce solution providers eCommerce Solutions eCommerce Trends EFTPOS payments eGovernance Email Marketing Email Marketing Tips Ember Js emberJS Emerging eCommerce Trends Enterprise resource planning erp Ethereum Etherium Evolution of NodeJS Factors to Choose eCommerce Platform Features of ASP.Net core Features of Node 12 Frontend Development Frontend Language Fusion Chart Future of Mobile App Development Companies Google Assistant hadoop HDFS Healthcare Technology Trends Healthcare Trends Helathcare Industry Highcharts Hire ASP.Net Developer Hire Software Developer Hybrid Mobile App Hybrid Mobile App Development Hyperledger and Quorum IaaS Improvement of Node 12 Infragistics Insecure direct object references insufficient attack detection Insurance Insurance Industry and Blockchain Technology in Insuranc Introduction of .Net 5 Ionic 3 Ionic 3 vs Ionic 4 Ionic 4 Javascript JavaScript Add-in JavaScript frameworks JSON-RPC Kentico knockoutJS Lead Generation Learning Management Systems Ledger Technology Linkedin Marketing Litecoin and Ri LMS Magento Migration Make Database Faster Make Database Secure Marketing Marketing Platforms 2020 Marketing Strategies Marketing Strategies during Pandemic Marketing Strategies for Software Companies Meteor Js MeteorJS Microsoft Chart Middleware in ASP.Net Core Minimize Downtime while WFH Minimize Productivity Loss Mobile App Development Mobile app development company Mobile App Development Ideas mongodb MongoDB and Blockchain software companies Multi Cloud Aoption Multichain Blockchain MVC MWS Need of Angular CLI Net Core Nevron nHibernate Node 12 Node JS Node JS App Development Node JS Development Node JS Framework nodejs NodeJS 14 NodeJS Development NodeJS History NodeJS Technology NodeJS Web Development NopCommerce NoSQL Online payments ORM Outsource Web Development Outsourcing Development Services PaaS Parity Payment gateways Permissioned Blockchain PHP Frameworks POC Podcast SEO polymerJS PowerShell private blockchain Product Development Programming Languages Project Brief Project management Project Management Software Project Management Software Recommendations Project Management Tools public blockchain QA Quality Assurance Quality Assurance Strategies Questions for Software Developers React React Framework React Js React vs Angular ReactJS SaaS SaaS vs IaaS vs PaaS SciChart SCRUM scrum workflow Secure web application Security Tips for .Net App Development Security Tips for .Net Development Security Tips for eCommece SEO Techniques SEO Tips for Podcast Shopify SignalR Siri of apple Smart Contracts Software software development Software Development Agency Software Development Trends Software Monitoring Tools software outsourcing Software Outsourcing Agency Software Outsourcing Challenges Software outsourcing companies india Solidity Supply Chain Management Technology News Telerik AppBuilder Telerik RadChart Top 10 PHP Frameworks Training Systems Tutoring Software Development Typescript uCommerce Umbraco Unvalidated Redirects and Forwards Usability Use of Blockchain in Businesses User-Friendliness vb.net VB.Net Development Video Conferencing Software Development Virto commerce Visual Studio Visual Studio 2019 Visual Studio Code Visual Studio Extensions VMO VSTO VSTO Add-in Vue Framework Vue Js Vue.js vueJS web api web application security Web Designing Web development Web Development Trends Web Security Tips Web software development companies what is Angular 9 Why Hire Software Development Agency Work from Home Xamarin YouTube Marketing YouTube Marketing Tips Znode


category

recent post

  • 22 Sep 2020 Visual Studio 2019 was published on April 2nd, 2019. It is an integrated,... [ more ]
  • 22 Sep 2020 In previous years, 67 % of small businesses practiced a cyber-attack,... [ more ]
  • 22 Sep 2020 Whether you operate as a startup business or an international company... [ more ]

archive

Copyright 2020 iFour Technolab Pvt. Ltd. all the rights reserved.