SUMMARY
The Australian Signals Directorates Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.
These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.
ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisoryincluding the followingto reduce prevalence of IDOR flaws and protect sensitive data in their systems.
Download the PDF version of this report:
IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications [apps] using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions.
Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessedallowing any user to use or modify the identifier.
These vulnerabilities are common[1] and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools. These factors place end-user organizations at risk of data leaks (where information is unintentionally exposed) or large-scale data breaches (where a malicious actor obtains exposed sensitive information). Data leaks or breaches facilitated by IDOR vulnerabilities include:
ACSC, CISA, and NSA recommend that vendors, designers, and implementors of web applicationsincluding organizations that build and deploy software (such as HR tools) for their internal use and organizations that create open-source projectsimplement the following mitigations. These mitigations may reduce prevalence of IDOR vulnerabilities in software and help ensure products are secure-by-design and -default.
For more information, see the joint Enduring Security Frameworks Securing the Software Supply Chain: Recommended Practices Guide for Developers, CISAs Supply Chain Risk Management Essentials, and ACSCs Cyber Supply Chain Risk Management.
Additionally, ACSC, CISA, and NSA recommend following cybersecurity best practices in production and enterprise environments. Software developers are high-value targets because their customers deploy software on their own trusted networks. For best practices, see:
ACSC, CISA, and NSA recommend that all end-user organizations, including those with on-premises software, SaaS, IaaS, and private cloud models, implement the mitigations below to improve their cybersecurity posture.
Additionally, ACSC, CISA, and NSA recommend following cybersecurity practices. For best practices, see ACSCs Essential Eight, CISAs CPGs, and NSAs Top Ten Cybersecurity Mitigation Strategies.
ACSC, CISA, and NSA recommend that organizations:
ACSC, CISA, and NSA recommend that organizations with on-premises software or IaaS consider using SaaS models for their internet-facing websites.
Organizations leveraging SaaS with sufficient resources may consider conducting penetration testing and using vulnerability scanners. However, such tests may interfere with service provider operations. Organizations should consult with their legal counsel as appropriate to determine what can be included in the scope of the penetration testing.
If you or your organization are victim to a data breach or cyber incident, follow relevant cyber incident response and communications plans, as appropriate.
[1] A01 Broken Access Control - OWASP Top 10:2021
[2] A massive stalkerware leak puts the phone data of thousands at risk
[3] Mobile device monitoring services do not authenticate API requests
[4] Behind the stalkerware network spilling the private phone data of hundreds of thousands
[5] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records
[6] Biggest Data Breaches in US History [Updated 2023]
[7] AT&T Hacker 'Weev' Sentenced to 3.5 Years in Prison
[8] Fuzzing | OWASP Foundation
The information in this report is being provided "as is" for informational purposes only. ACSC, CISA, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States or Australian Governments, and this guidance shall not be used for advertising or product endorsement purposes.
This document was developed in furtherance of the authors cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Continue reading here:
Preventing Web Application Access Control Abuse - CISA