Dr. Drew Hwang, CIS, Cal Poly Pomona
Home
101
WDD
ECOMM
SWA
SP
Secure Web Development
Home
Basics
Offense
Defense
SDLC
Code
Access
Parameter
Perimeter
Browser
Industry
Resource
Parameter
Session Management
Session Hijacking
Session Fixation
Insecure Direct Object Reference
Misconfiguration
Unvalidated Redirects and Forwards
Print
Insecure Direct Object Reference
Introduction
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a
file
,
directory
,
database
record
, or
key
, as a
URL
or
form parameter
. Attackers can manipulate those references to access other objects without authorization.
OWASP Risk Profile
source: OWASP
Types
Files:
confidential documents
Demo 1
Video:
streams from networked personal webcams
Demo 2
Applications:
web pages or services that allow requests to be made to specific objects without the proper verification of the requestors right to the content.
Applications frequently use the actual name or key of an object when generating web pages.
Applications don't always verify the user is authorized for the target object.
Developers often have a false expection that the application will only ever be accessed in the intended context.
Example:
A web application allows users to login in to access their past order information.
Once the user is authenticated to the system, he/she can view not only his/her own orders but others through using the insecure direct object reference such as: orderdetails.aspx?orderID=12422 (another customer orders).
Defense measures
Implementing a
cookies routine
to disallow other orders to be viewed (still not safe).
Demo 3
Implementing a
session routine
to disallow other orders to be viewed.
Demo 4