Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should Insecure Direct Object Reference be taken seriously when developing public RESTful APIs?

Tags:

rest

owasp

api

I went reading OWASP's 2013 Top-10, and found out that Insecure Direct Object Reference ranks 4th. However, when I tried to study further on the some existing public RESTful APIs, it turns out Facebook and World Bank doesn't even bother about it. Both are simply using direct object references. As you can see with the examples below:

Facebook API call

http://graph.facebook.com/5

Word Bank API call

http://api.worldbank.org/countries/us?format=json

Does that mean we shouldn't take seriously Insecure Direct Object Reference when developing public RESTful APIs?

like image 208
Abel Callejo Avatar asked Aug 08 '14 13:08

Abel Callejo


People also ask

What is a insecure direct object reference Why is it a problem?

Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a “direct object reference,” such as a database key, query parameter, or filename.

What is meant by insecure direct object reference?

Summary. Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

What causes the insecure direct object reference IDOR vulnerability?

The Insecure Direct Object References vulnerability arises as a consequence of three security gaps: A client can alter user-supplied input such as a form or URL parameter values to modify an object reference. The web server exposes a direct reference to an internal operation or object.


1 Answers

Directly from the OWASP guide:

How Do I Prevent This?
Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):
1.Use per user or session indirect object references. [...]
2.Check access. [...]

Facebook and the World Bank chose option 2 instead of option 1.

like image 185
Eric Stein Avatar answered Oct 23 '22 05:10

Eric Stein