Insecure Direct Object Reference
- Insecure Direct Object Reference occurs when developer expose reference to an internal implementation object.
- Attacker or hacker manipulate direct object reference to access other object without Authorization
- User can change any of the red marked value and can see other’s contact’s information.
- This type of attack occurred to the Australian Taxation Office’s GST Start Up Assistance site in 2000, where a legitimate but hostile user simply changed the ABN (a company tax id) present in the URL.
- The goal is to verify that the application does not allow direct object references to be manipulated by an attacker.
- Verify authorization to all referenced objects.
- Avoid exposing your private object references to users whenever possible, such as primary keys or filenames.
- Validate any private object references extensively with an "accept known good" approach.