Friday, June 28, 2013

C# - Insecure Direct Object Reference By Sivanath KS(Software Developer)


Ø  Definition:
“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.”

Ø  The Insecure Direct Object References represent the flaws in system design where access to sensitive data is not fully protected.
Ø  Insecure Direct Object Reference is an attack where attacker who is an authenticated system user, simply changes a parameter value that directly refers to a system object or another object.
Ø  Identifying this vulnerability is slightly more difficult using Automation tools than other vulnerabilities because to exploit this vulnerability you not only need to identify the flawed interface but also need to predict the pattern to identify an secure object like File name, User Id or Customer Id etc.
Ø  Let’s imagine we have an ASP.NET webpage which is loaded once a user is authenticated to the system.
Ø   In this example, the user is a customer and one of the functions available to them is the ability to view their customer details.



Ø  After clicking the button, the customer details are returned and written to the page.






Ø  Hitting the button again exposes the following information in Firebug.



Ø  Re-use the same request but with a different customer ID.

Ø  With a new request now created, let’s hit the “Execute” button then switch back to the inspectors view  in the fiddler and look at the response.





Ø  Now,we can get the different customer details.

Ø  Protection:

• Avoid exposing private object references to users whenever possible, such as primary keys or filenames.
• Verify authorization to all referenced objects.
Ø  Insecure Direct Object Reference in “Nokia” web site.
For reference:





Thanks to Mr K.S. Sivanath for his valuable document about Insecure Direct Object Reference  vulnerabilities in OWASP CONCEPTS. Contact Details:  sivanathks@hotmail.com               




















No comments :

Post a Comment