The National Security Agency, Cybersecurity and Infrastructure Security Agency and the Australian Signals Directorate’s Australian Cyber Security Center have released a joint cybersecurity advisory warning web application developers and vendors against insecure direct object reference vulnerabilities.
The advisory, titled “Preventing Web Application Access Control Abuse,” describes IDOR vulnerabilities as access control vulnerabilities enabling malicious actors to bypass access control in web applications deployed on-premises or in the cloud to modify, delete or access sensitive data, NSA said Thursday.
“These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale,” according to the advisory.
To prevent malicious actors from exploiting IDOR, the guidelines suggest web application developers implement secure by design and default principles, adhere to secure coding practices, use automated code analysis and testing tools for conducting code reviews and testing and train personnel on secure software development.
End-user organizations ought to also apply software patches for web applications, configure applications to log and alert on tampering attempts and perform regular vulnerability scanning and penetration testing.