Difference between revisions of "Top 10 2010-A4-Insecure Direct Object References"

From OWASP
Jump to: navigation, search
(Replaced content with 'ASVS')
Line 1: Line 1:
[[http://www.owasp.org/index.php/ASVS#tab=Download|ASVS]]
+
{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}
 +
 
 +
<center>
 +
{| style="align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2; padding=2;"
 +
|- style="background-color: #4F81Bd; color: #000000;"
 +
! Threat Agents !! Attack Vectors
 +
! colspan="2" | Security Weakness
 +
! Technical Impact
 +
! Business Impacts
 +
|-
 +
| style="background-color: #D9D9D9; color: #000000;" | ______
 +
| style="background-color: #FF0000; color: #000000;" | Exploitability<br>EASY
 +
| style="background-color: #FFB200; color: #000000;" | Prevalence<br>COMMON
 +
| style="background-color: #FF0000; color: #000000;" | Detectability<br>EASY
 +
| style="background-color: #FFB200; color: #000000;" | Impact<br>MODERATE
 +
| style="background-color: #D9D9D9; color: #000000;" | ______
 +
|-
 +
| style="text-align: left; border: 2px solid #FFFFFF;" | Consider the types of users of your system. Do any users have only partial access to certain types of system data?
 +
| style="text-align: left; border: 2px solid #FFFFFF;" | Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted?
 +
| colspan="2" style="text-align: left;border: 2px solid #FFFFFF;" | Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified.
 +
| style="text-align: left; border: 2px solid #FFFFFF;" | Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type.
 +
| style="text-align: left; border: 2px solid #FFFFFF;" | Consider the business value of the exposed data.
 +
 
 +
Also consider the business impact of public exposure of the vulnerability.
 +
|}
 +
</center>
 +
 
 +
{{Top_10_2010:SubsectionVulnerableTemplate|Insecure Direct Object References|
 +
The best way to find out if an application is vulnerable to insecure direct object references is to verify that all object references have appropriate defenses. To achieve this, consider:
 +
#For '''direct''' references to '''restricted''' resources, the application needs to verify the user is authorized to access the exact resource they have requested.
 +
#If the reference is an indirect reference, the mapping to the direct reference must be limited to values authorized for the current user.
 +
Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.
 +
}}
 +
 
 +
{{Top_10_2010:SubsectionPreventionTemplate|Insecure Direct Object References|
 +
 
 +
}}
 +
 
 +
{{Top_10_2010:SubsectionExampleTemplate|Insecure Direct Object References|}}
 +
 
 +
}}
 +
 
 +
{{Top_10_2010:SubsectionReferencesTemplate|Insecure Direct Object References|
 +
 
 +
|
 +
 
 +
}}
 +
<br> {{Top_10_2010:BottomTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}

Revision as of 19:50, 18 April 2010

««««
Top 10 Introduction
Top 10 Risks
»»»»
Threat Agents Attack Vectors Security Weakness Technical Impact Business Impacts
______ Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
MODERATE
______
Consider the types of users of your system. Do any users have only partial access to certain types of system data? Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted? Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified. Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type. Consider the business value of the exposed data.

Also consider the business impact of public exposure of the vulnerability.

Am I Vulnerable to Insecure Direct Object References?

The best way to find out if an application is vulnerable to insecure direct object references is to verify that all object references have appropriate defenses. To achieve this, consider:

  1. For direct references to restricted resources, the application needs to verify the user is authorized to access the exact resource they have requested.
  2. If the reference is an indirect reference, the mapping to the direct reference must be limited to values authorized for the current user.

Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.


How Do I Prevent Insecure Direct Object References?

Example Attack Scenarios

}}

References


««««
Top 10 Introduction
Top 10 Risks
»»»»

© 2002-2010 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png