In the articles which we have already published on the topic of application security, there has been a recurring topic of proper authentication within the application. Applications are built in layers, with different degrees of access being granted to different users; depending upon whether their credentials have been correctly authenticated. Obviously the primary access to the application should be as secure as possible, with timeouts, secure password policies etc. This article will look at the need for secure references within the application.
A direct object reference is when the developer exposes a reference to an internal ‘object’ within the application. Essentially, when the code points to one of the ‘parts’ which makes up the app. These include the numerous ‘building blocks’ of applications such as specific files, database keys and internal directories. All of these are necessary aspects to make the app work properly for the end-user. The danger which you face by having Insecure Direct Object References is that an attacker can easily modify the parameter’s which have been generated in their browser to access confidential data.
For example; say you have a secure database which stores payment information for your users, this is done for their convenience and to increase their overall ease-of-use if the application is often used as a step in making financial purchases. This could also apply where customers have submitted other personal information, for you to use in providing them with a better experience. If the application uses a SQL call but the initial data is unverified (i.e. user credentials) which is then used to access this account information, attackers can exploit the insecurity in the parameter to access details from any account.
The effect which this can […]