The fourth most common type of attack against web sites and applications is allowing objects (such as database records, files or links) to be access directly without determining the requester’s right to retrieve the content. These are known as Insecure Direct Object References. One form of exploit under this category, known as open redirect and is caused when a web page allows redirection to an external site by calling a specific URL in an unfiltered and uncontrolled manner. Practices such as this can be used to send users to a malicious site. Another form of an insecure reference, directory traversal, occurs when an application does not verify which files are allowed to be accessed; this vulnerability allows an intruder to retrieve files that should not be displayed.
Developers can combat these types of exploits by:
- removing references to direct objects.
- implementing a system of indirect reference maps that require a valid key in order to access an object.
- verifying if the current user is authorized to access a requested object.
- rejecting input that uses “../” (directory traversal attacks).
- and using integrity checks to insure object parameters have not been changed.
For more information see:
Top 10 2010-A4-Insecure Direct Object References
OWASP Top 10 for .NET developers part 4: Insecure direct object reference