Top 10 2010-A4-Insecure Direct Object References

The application uses unverified data in a SQL call that is accessing account information:
 * String query = "SELECT * FROM accts WHERE account = ?";
 * PreparedStatement pstmt = connection.prepareStatement(query, ... );
 * pstmt.setString( 1, request.getparameter("acct"));
 * ResultSet results = pstmt.executeQuery;

The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account.
 * http://example.com/app/accountInfo?acct= notmyacct


 * OWASP Top 10-2007 on Insecure Dir Object References
 * ESAPI Access Reference Map
 * ESAPI Access Control API (See isAuthorizedForData, isAuthorizedForFile, isAuthorizedForFunction )

For additional access control requirements, see the ASVS requirements area for Access Control (V4)


 * CWE Entry 639 on Insecure Direct Object References
 * CWE Entry 22 on Path Traversal (which is an example of a Direct Object Reference attack)