Insecure Direct Object Access occurs when there is no authentication check on the input provided by the user from the web page. The software executes the request and provides the result back to the user. This could be very serious considering an attacker can get access to the unauthorised objects like file, directory or databases. The impact on an organisation can be significant as attackers can dig deeper into the vulnerabilities.
It’s a very basic attack and most of the people do it unknowingly in their daily routine by just changing the parameters or path of the address bar in the web page. Currently, it occupies the fourth spot in the top 10 list of security risks.
www.example.com/profile.php?p=2
Attacker can simply change the value above from ‘2’ to ‘3’ and can access the profile details of other user. Similarly can play around to find other details.
To prevent this attack, the application needs to verify that the user is authorised to access the requested resource.
Security Testing - Insecure Direct Object Access
It’s a very basic attack and most of the people do it unknowingly in their daily routine by just changing the parameters or path of the address bar in the web page. Currently, it occupies the fourth spot in the top 10 list of security risks.
www.example.com/profile.php?p=2
Attacker can simply change the value above from ‘2’ to ‘3’ and can access the profile details of other user. Similarly can play around to find other details.
To prevent this attack, the application needs to verify that the user is authorised to access the requested resource.
Follow and Like us:
Security Testing - Insecure Direct Object Access
No comments:
Post a Comment