Insecure Direct Object Reference
Insecure Direct Object Reference
Description
A direct object reference occurs when an Application exposes a direct reference to an internal object without proper authorization.
This class of vulnerability results in an insecure direct, which may result in access to sensitive data and authorization bypass.
Recommendation
There are multiple ways to prevent Indirect Object Reference vulnerabilities:
- Perform proper access control checks.
- Use indirect reference using the user\'s session or account.
Links
Standards
- CWE_TOP_25:
- CWE_862
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_6_3
- REQ_6_4
- REQ_7_3
- REQ_11_3