What are Web Application Access Control Threats?
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) have released a Cybersecurity Advisory to warn vendors, designers, and developers of web applications, and organizations using web applications, about insecure direct object reference (IDOR) vulnerabilities.1 IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, cyberattackers can access sensitive data, modify or delete objects, or access functions. IDOR vulnerability types include:
- Horizontal IDOR vulnerabilities. Horizontal IDOR vulnerabilities occur when a user can access data that they should not be able to access at the same privilege level (e.g., other user’s data).
- Vertical IDOR vulnerabilities. Vertical IDOR vulnerabilities occur when a user can access data that they should not be able to access because the data requires a higher privilege level.
- Object-level IDOR vulnerabilities. Object-level IDOR vulnerabilities occur when a user can modify or delete an object that they should not be able to modify or delete.
- Function-level IDOR vulnerabilities. Function-level IDOR vulnerabilities occur when a user can access a function or action that they should not be able to access.
These vulnerabilities typically exist because an object identifier is exposed, passed externally, or easily guessed, which allows any user to use or modify the identifier.
- Body manipulation. With body manipulation, an actor modifies the HTML form field data in the body of a POST request to impact targeted records.
- URL tampering. With URL tampering, an actor modifies an identifier in URLs to impact targeted records.
- Cookie ID manipulation. With cookie ID manipulation, the actor modifies an identifier in a cookie to an identifier of a different user (including administrative users) in an attempt to gain access to that account.
- HTTP/JSON request tampering. With HTTP/JSON request tampering, an actor uses a web proxy to intercept and alter arbitrary portions of legitimate requests, including values inside JSON objects.
These vulnerabilities are frequently exploited by cyberattackers in data breach incidents, resulting in the compromise of personal, financial, and health information of millions of users and consumers. The following recommendations are aimed at reducing the prevalence of IDOR flaws and protecting sensitive data:
Vendors, designers, and developers of web application frameworks and web applications:
- Implement secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
- Use automated tools for code review to identify and remediate IDOR and other vulnerabilities.
- Use indirect reference maps, ensuring that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a universally unique identifier (UUID) or a globally unique identifier (GUID).
- Exercise due diligence when selecting third-party libraries or frameworks to incorporate into your application and keep all third-party frameworks and dependencies up to date.
All end-user organizations, including organizations with software-as-a-service (SaaS) models:
- Use due diligence when selecting web applications. Follow best practices for supply chain risk management and only source from reputable vendors.
- Apply software patches for web applications as soon as possible.
End-user organizations deploying on-premises software, infrastructure-as-a-service (IaaS), or private cloud models:
- Review the available authentication and authorization checks in web applications that enable modification of data, deletion of data, or access to sensitive data.
- Conduct regular, proactive vulnerability scanning and penetration testing to help ensure internet-facing web applications and network boundaries are secure.
1 ACSC, CISA, & NSA; 2023; “Preventing Web Application Access Control Abuse”