One of the most commonly exploited forms of vulnerability in web applications was highlighted in a joint advisory by international cyber defence agencies.
The advisory warning was about web application access control abuse witnessed via Insecure Direct Object Reference (IDOR) vulnerabilities.
The IDOR vulnerabilities advisory was mainly for alerting vendors, designers, and web application developers, among others, to maintain due diligence for software security.
IDOR vulnerabilities advisory by CISA, ACSC, and NSA
The IDOR vulnerabilities advisory was released jointly by Cybersecurity and Infrastructure Security Agency (CISA), with its partners, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), and United States’ National Security Agency (NSA).
Some of the important points mentioned in the IDOR vulnerabilities were as follows –
- IDOR vulnerabilities are commonly found in software which makes them an easier method for hackers to gain access to systems.
- Vendors, designers, and developers of web applications frameworks and web apps should implement secure-by-design and -default principles. They must make sure that the software manifests authentication and authorization checks for every request. These requests allow hackers to access, modify, and delete sensitive data.
- Get the codes of web apps by automated tools to find IDOR vulnerabilities in them and other security flaws.
- To protect IDs, names, and keys from showing on the URL, use indirect reference maps. Replace sensitive details with cryptographically strong and random values and use a universally unique identifier (UUID) or a globally unique identifier (GUID).
- Choose third-party libraries or frameworks for applications cautiously and keep them updated to the latest versions.
A set of instructions were given for end-user organizations including those using Software-as-a-Service (SaaS) models. They were urged to be cautious while opting for web applications, and maintain optimum supply chain risk management besides working with reputable vendors only.
For end-user organizations with on-premise software, Infrastructure-as-a-Service (IaaS), and/ or private cloud models, another set of instructions was relayed. They must review the current authentication and authorization checks in web applications.
This will help curb unauthorized access to data. They must conduct vulnerability scanning to mitigate risks posed by IDOR vulnerabilities and others. This will ensure the safety of internet-facing web apps and network boundaries.
IDOR vulnerabilities explained
The IDOR vulnerabilities joint cybersecurity advisory detailed various types of IDOR vulnerabilities besides explaining more about it.
It read, “IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users.”
It explained that IDOR vulnerabilities in web and mobile phone applications can be exploited when the application API used an identifier like an ID number, name, or key to directly access a database or record referred to as an object. All while it failed to authenticate or authorize the hacker submitting the request.
It specified that such attacks succeed in the absence of basic required authentication and authorization checks. IDOR vulnerabilities were exploited by hackers for cyber attacks because they can be abused at scale and it is difficult to stop outside the development process.
IDOR vulnerabilities such as CVE-2022-0732 have been exploited to compromise personal, financial, and health information.
It explained that horizontal IDOR vulnerabilities led hackers to access data not accessible with the same privilege level, and vertical IDOR vulnerabilities were when they accessed data that required a higher privilege level.
Object-level IDOR vulnerabilities involved modifying and/ or deleting objects not to be accessible by them while function-level IDOR vulnerabilities allowed hackers to access functions or actions not permitted to them.
Security measures must be implemented to prevent the exposure of object identifiers, having them easily guessed by hackers and allowing them to modify identifiers.
