Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

On July 27, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) released a joint advisory with the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and U.S. National Security Agency (NSA). “Preventing Web Application Control Abuse” (the Advisory) provides recommendations for designers and developers to help protect against insecure direct object reference (IDOR) vulnerabilities. 

If you’re a developer, here’s the tl;dr (too long; didn’t read) for CISA’s Guidance on “Preventing Web Application Control Abuse.” 

CISA’s High-Level Recommendations for Vendors, Designers, and Developers

The Advisory breaks recommendations down into three audience categories. For vendors, designers, and developers, the document’s first directive is to implement secure-by-design-and-default principles.  

The three primary CISA directives boil down to the following:

  • Use automated code review tools
  • Map all indirect references to prevent exposing information
  • Do research before selecting third-party libraries or frameworks, and update dependencies regularly

IDOR Vulnerabilities and Application Threats

At a technical level, IDOR vulnerabilities occur when an application or API leaves the object identifier exposed, passed externally, or easily guessed while failing to check the user’s authenticity or authorization properly. IDOR vulnerabilities provide users access to data that they shouldn’t be able to access, essentially unauthorized access with valid credentials. 

The four types of IDOR vulnerability are:

  • Horizontal: unauthorized access to data at the same privilege level
  • Vertical: unauthorized access to data that requires a higher privilege level
  • Object-level: unauthorized ability to modify or delete an object
  • Function-level: unauthorized access to a function or action

Once malicious actors have this access, they can engage in:

  • Body manipulation: modifying the HTML form field data in a POST request’s body to impact targeted records
  • URL tampering: modifying identifiers in URLs to impact targeted records
  • Cookie ID manipulation: modifying a cookie identifier to a different user’s identifier (like admin user) to access the account
  • HTTP/JSON request tampering: intercepting and altering arbitrary port