Insecure Direct Object Reference

Insecure Direct Object Reference

Risk: high

Description

A direct object reference occurs when an Application exposes a direct reference to an internal object without proper authorization.

This class of vulnerability results in an insecure direct, which may result in access to sensitive data and authorization bypass.

Recommendation

There are multiple ways to prevent Indirect Object Reference vulnerabilities:

1. Use Indirect Object References: Instead of exposing direct references to internal objects (such as database IDs), use indirect references or tokens that are mapped to the objects on the server-side. This prevents users from tampering with identifiers directly.

2. Implement Access Controls: Apply access controls at both the frontend and backend to enforce restrictions on what data users can access. This includes role-based access control (RBAC), attribute-based access control (ABAC), or any other relevant access control mechanism.

3. Use Cryptographically-Secure Object References: If possible, use cryptographic techniques such as HMAC or UUID to generate unpredictable secure object references or tokens.

Links

• Insecure Direct Object Reference Prevention Cheat Sheet (OWASP)

Standards

• CWE_TOP_25:
  • CWE_862
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_6_4
  • REQ_7_3
  • REQ_11_3
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_6_1
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5