I went reading OWASP's 2013 Top-10, and found out that Insecure Direct Object Reference ranks 4th. However, when I tried to study further on the some existing public RESTful APIs, it turns out Facebook and World Bank doesn't even bother about it. Both are simply using direct object references. As you can see with the examples below:
Facebook API call
http://graph.facebook.com/5
Word Bank API call
http://api.worldbank.org/countries/us?format=json
Does that mean we shouldn't take seriously Insecure Direct Object Reference when developing public RESTful APIs?
Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a “direct object reference,” such as a database key, query parameter, or filename.
Summary. Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
The Insecure Direct Object References vulnerability arises as a consequence of three security gaps: A client can alter user-supplied input such as a form or URL parameter values to modify an object reference. The web server exposes a direct reference to an internal operation or object.
Directly from the OWASP guide:
How Do I Prevent This?
Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):
1.Use per user or session indirect object references. [...]
2.Check access. [...]
Facebook and the World Bank chose option 2 instead of option 1.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With