iFour Logo iFour Logo

×

HIRE US
iFour Logo

Call us now

usa +1 410 892 1119

australia +61 4 8993 1698

Get in touch

  • info@ifourtechnolab.com

  • 601 & 612, The Times square Arcade, Near Baghban party plot, Thaltej - Shilaj Road, Thaltej, Ahmedabad, Gujarat - 380059

Secure web application from Insecure direct object references

iFour Team - September 05, 2017

Listening is fun too.

Straighten your back and cherish with coffee - PLAY !

  • play
  • pause
  • pause
Secure web application from Insecure direct object references

Table of Content

‘Insecure direct object references’ is ranked 4th on the list OWASP top 10 vulnerabilities 2013. Now days, it has become a serious concern for software development companies to maintain the privacy of all the users. This vulnerability breaches the authorization gates and allow an attacker to thieve unauthorized data from web application. Let’s have detailed understanding of this vulnerability .

What is insecure direct object references?

According to OWASP definition insecure direct object references occur when web application gives direct access to those objects which are based on user-supplied input. As a result, an attacker can bypass the authorization gates and gain the access of resources of the system directly, like database files and records.

This vulnerability allows the attacker to bypass authorization steps of an application and have the access of all the resources directly by modifying the values of parameter which is used to point an object. These kinds of resources can be files of system, entries belonging to other users, etc. This happens because the application takes user supplied input and retrieve an object without checking sufficient authorization.

Read More: Web Application Development Using Asp.net Blazor Framework

How can you know you are vulnerable?

Here are some easy ways to find out if your web application is vulnerable or not.

  • Does the application verify the exact user and the resources he is given access to? (For all direct references to restricted resources)

  • Suppose the reference is an indirect reference, you need to verify if the mapping to the direct references fail to restrict the values for authorized current user.

Code review of any application by custom web application companies can identify whether we can apply either approach safely or not. In most of the cases manual testing is proved to be effective to identify direct object references and check whether they are safe or not. Automated tools generally cannot look for such flaws as they cannot distinguish protection what is safe and what is not.

Let’s have a demo website where an object id is 3 which can be seen like this.

Here is the object (A user profile)

Demo Image


 
Demo Image

Now if we just change id from id=3 to id=1 in URL, we can see that we are directly given access to that object on id=1.

 
Demo Image
 
Demo Image
 

Severity:Medium

Prevention

To prevent this vulnerability from your web application, web application software companies suggests to create a map with in your code that maps objects. These objects could be referenced internally to aliased terms which are exposed to the user. For example, an array of primary keys to a particular table might be mapped with random sequence of integers. When the value is submitted by user, the number is matched to a real value. This prevents disclosure of the actual value and also limits what a user can alter.

Looking to Hire the Best Web Development Company? Contact Now

See here

For example,

default --> index.html

account_summary --> account_summary.html

user_profile --> user_profile.html

Values supplied by the user should be vetted through an access control function to verify that he is authorized for that data.

 

Secure web application from Insecure direct object references ‘Insecure direct object references’ is ranked 4th on the list OWASP top 10 vulnerabilities 2013. Now days, it has become a serious concern for software development companies to maintain the privacy of all the users. This vulnerability breaches the authorization gates and allow an attacker to thieve unauthorized data from web application. Let’s have detailed understanding of this vulnerability . What is insecure direct object references? According to OWASP definition insecure direct object references occur when web application gives direct access to those objects which are based on user-supplied input. As a result, an attacker can bypass the authorization gates and gain the access of resources of the system directly, like database files and records. This vulnerability allows the attacker to bypass authorization steps of an application and have the access of all the resources directly by modifying the values of parameter which is used to point an object. These kinds of resources can be files of system, entries belonging to other users, etc. This happens because the application takes user supplied input and retrieve an object without checking sufficient authorization. Read More: Web Application Development Using Asp.net Blazor Framework How can you know you are vulnerable? Here are some easy ways to find out if your web application is vulnerable or not. Does the application verify the exact user and the resources he is given access to? (For all direct references to restricted resources) Suppose the reference is an indirect reference, you need to verify if the mapping to the direct references fail to restrict the values for authorized current user. Code review of any application by custom web application companies can identify whether we can apply either approach safely or not. In most of the cases manual testing is proved to be effective to identify direct object references and check whether they are safe or not. Automated tools generally cannot look for such flaws as they cannot distinguish protection what is safe and what is not. Let’s have a demo website where an object id is 3 which can be seen like this. Here is the object (A user profile)   Now if we just change id from id=3 to id=1 in URL, we can see that we are directly given access to that object on id=1.       Severity:Medium Prevention To prevent this vulnerability from your web application, web application software companies suggests to create a map with in your code that maps objects. These objects could be referenced internally to aliased terms which are exposed to the user. For example, an array of primary keys to a particular table might be mapped with random sequence of integers. When the value is submitted by user, the number is matched to a real value. This prevents disclosure of the actual value and also limits what a user can alter. Looking to Hire the Best Web Development Company? Contact Now See here For example, default --> index.html account_summary --> account_summary.html user_profile --> user_profile.html Values supplied by the user should be vetted through an access control function to verify that he is authorized for that data.  

Build Your Agile Team

Recent Posts

Categories

Ensure your sustainable growth with our team

Talk to our experts
Sustainable
Sustainable
 
Blog Our insights
19 CEO Dashboard Examples for Business Leaders

20 February 2025

Kapil Panchal

19 CEO Dashboard Examples for Business Leaders

Let's rewind to the 1990s. Data used to be stored on servers and CEOs relied on basic tools to make optimal decisions. No dashboards, nothing. When you use Power BI with a solid...

How to Export Power BI Data to Excel

31 January 2025

Kapil Panchal

How to Export Power BI Data to Excel

Imagine walking into a meeting where critical decisions need to be made—fast. You need clear, flexible data that you can analyze on the spot. But what if your insights are locked inside...

8 Powerful Data Storytelling Examples for CTOs

30 January 2025

Kapil Panchal

8 Powerful Data Storytelling Examples for CTOs

Clear insights mean smarter decisions, and this is what data storytelling does. It helps you speak a language that you quickly understand. Like for example, you are a CTO dealing with...