Uploaded bymacanazon
PPTX, PDF1,770 views

InsecureDirectObjectReferences

The document discusses insecure direct object references (IDOR) and their implications in information security, highlighting how developers can unintentionally expose access to internal objects without proper checks. It emphasizes the need for access control validations in web applications to prevent unauthorized access and provides examples and prevention techniques for developers. Additionally, it references OWASP guidelines and various sources for further information about IDOR vulnerabilities.

Embed presentation

Downloaded 96 times
Insecure Direct Object References Melissa Canazon How do you refer to secure information? IT6873 Information Security Seminar – Fall 2014
A4-Insecure Direct Object References “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.” ~ OWASP * Formally defined by OWASP, but what does this mean?
Path to Understanding Defining “Objects” Defining “References” Defining “Insecure” What does ‘insecure direct object reference’ mean? - examples How can it be used? Prevention Topic 1 Topic 2 Topic 3 Topic 4 Topic 5 Topic 6 Topic 7 How is it detected?
Definition: Objects
OBJECTS data, information, files, images, video, resource, etc. *can be stored and retrieved in either an unprocessed or processed format
Definition: References
REFERRING TO OBJECTS DIRECTORY www.directory.com OBJECT 1 www.directory.com/object1 OBJECT 2 www.directory.com/object2 OBJECT 3 www.directory.com/object3
Definition: Insecure Authentication vs. Authorization
AUTHENTICATION vs AUTHORIZATION CERTIFIED AUTHENTIC USER
Defining ‘Insecure Direct Object Reference’
Object1 www.some.com/access/authorizeduser/object2 www.some.com/access/unauthorizeduser/object1
How Can You Use Direct Object References? • inurl: admin • inurl:cgi • filetype: pdf • “auth_user_file.txt” • index of ftp +.mdb allinurl:/cgi-bin/ +mailto
How Can You Use Direct Object References?
How Can You Use Direct Object References? dot dot slash .../ • Moving down the directory • Some apps prevent this type of traversal, so alternately: • %2e%2e%2f which translates to ../ • %2e%2e/ which translates to ../ • ..%2f which translates to ../ • %2e%2e%5c which translates to ..
Detection
Prevention Just a friendly reminder to developers: INPUT IS EVIL!
INPUT IS EVIL Input can be malicious, always validate it before you trust it!
User input Direct Reference USER SESSION Reference Mapping Indirect Resource Reference Web app sends resource User receives resource & indirect reference Web app receives request Reference Map Generated
Spoiler Alert! Access Control
Check out A7- Missing Function Level Access Control! Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. ACCESS CONTROL
Check out A10- Unvalidated Redirects and Forwards! Applications frequently redirect users to other pages, or use internal forwards in a similar manner. ACCESS CONTROL Sometimes the target page is specified in an un-validated parameter, allowing attackers to choose the destination page. Unsafe forwards may allow access control bypass. What if attackers can access internal only functions?
OWASP Top 10 Threats and Mitigations http://michaelpeters.org/quiz/ I challenge you to take the quiz and share your thoughts! Post in the discussion board! Thanks to Albena and Aaron for being my resource reviewers!
REFERENCES 1. CWE-22: Improper Limitation of a Pathname to a Restricted Directory. 30 July 2014. CWE Common Weakness Enumeration. Retrieved from: http://cwe.mitre.org/data/definitions/22.html 2. CWE-639: Authorization Bypass Through User-Controlled Key. 30 July 2014. CWE Common Weakness Enumeration. Retrieved from: http://cwe.mitre.org/data/definitions/639.html 3. CWE-706: Use of incorrectly resolved name or reference. 30 July 2014. CWE Common Weakness Enumeration. Retrieved from: http://cwe.mitre.org/data/definitions/706.html 4. Hacking Websites Using Directory Traversal Attack. September 2012. HackingLoops.com. Retrieved from: http://www.hackingloops.com/2012/09/hacking-websites-using-directory-traversal-attacks. html 5. Melton, John. 10 May 2010. The OWASP Top 10 and ESAPI – Part 4 – Insecure Direct Object References. Retrieved from: http://www.jtmelton.com/2010/05/10/the-owasp-top-ten-and-esapi-part- 5-insecure-direct-object-reference/ 6. Mukherjee, Sumantro. 2 April 2013. Google Hacking: A Must Read Article. Hackshark. Retrieved from: http://hackshark.com/?p=1058#axzz3EgMnLtXk 7. OWASP. 8 AUGUST 2014. Testing for Insecure Direct Object References. Retrieved from: https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ- 004) 8. OWASP. 14 June 2013. Top 10 2013-A4-Insecure Direct Object References. Retrieved from: https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References 9. Peters, Michael. 25 December 2012. Pop Quiz! Test your OWASP knowledge and earn credit. MichaelPeters.org. Retrieved from: http://michaelpeters.org/quiz/ 10. Redkar, Vinesh. 13 June 2013. NOKIA – Insecure Direct Object Reference. AVs3curity. Retrieved from: http://avs3curity.blogspot.com/2013/06/nokia-insecure-direct-object-reference.html

More Related Content

PPTX
OWASP Khartoum Top 10 A4 - 7th meeting
byOWASP Khartoum
 
PPTX
A7 Missing Function Level Access Control
bystevil1224
 
PDF
Owasp Top 10-2013
byn|u - The Open Security Community
 
PDF
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
PPTX
A10 - Unvalidated Redirects and Forwards
byShane Stanley
 
PPTX
A5: Security Misconfiguration
byTariq Islam
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
OWASP Khartoum Top 10 A4 - 7th meeting
byOWASP Khartoum
 
A7 Missing Function Level Access Control
bystevil1224
 
Owasp Top 10-2013
byn|u - The Open Security Community
 
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
A10 - Unvalidated Redirects and Forwards
byShane Stanley
 
A5: Security Misconfiguration
byTariq Islam
 
Owasp top 10 security threats
byVishal Kumar
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 

What's hot

PPTX
Web application Security tools
byNico Penaredondo
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
PDF
The Complete Web Application Security Testing Checklist
byCigital
 
PDF
Security testing presentation
byConfiz
 
PPT
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
PPTX
Security testing
byKhizra Sammad
 
PDF
OWASP Top 10 - 2017
byHackerOne
 
PPT
Owasp Top 10 - Owasp Pune Chapter - January 2008
byabhijitapatil
 
PPTX
Security workshop - Lets get our hands dirty!!
byManjyot Singh
 
PPTX
Security misconfiguration
byMicho Hayek
 
PDF
Web Application Security 101
byCybersecurity Education and Research Centre
 
PPTX
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
byOWASP Khartoum
 
PDF
Introduction to Security Testing
byvodQA
 
PDF
Testing Web Application Security
byTed Husted
 
PPTX
security misconfigurations
byMegha Sahu
 
PPTX
Owasp first5 presentation
byAshwini Paranjpe
 
PPT
Get Ready for Web Application Security Testing
byAlan Kan
 
PPTX
2 . web app s canners
byRashid Khatmey
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
PPTX
3. backup file artifacts - mazin ahmed
byRashid Khatmey
 
Web application Security tools
byNico Penaredondo
 
Security Testing Training With Examples
byAlwin Thayyil
 
The Complete Web Application Security Testing Checklist
byCigital
 
Security testing presentation
byConfiz
 
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
Security testing
byKhizra Sammad
 
OWASP Top 10 - 2017
byHackerOne
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
byabhijitapatil
 
Security workshop - Lets get our hands dirty!!
byManjyot Singh
 
Security misconfiguration
byMicho Hayek
 
Web Application Security 101
byCybersecurity Education and Research Centre
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
byOWASP Khartoum
 
Introduction to Security Testing
byvodQA
 
Testing Web Application Security
byTed Husted
 
security misconfigurations
byMegha Sahu
 
Owasp first5 presentation
byAshwini Paranjpe
 
Get Ready for Web Application Security Testing
byAlan Kan
 
2 . web app s canners
byRashid Khatmey
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
3. backup file artifacts - mazin ahmed
byRashid Khatmey
 

Viewers also liked

PDF
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 
PPTX
MWC 2015 - Day 3
byAffle mTraction Enterprise
 
PPTX
ענב גנד גלילי - על אלמנט ההפתעה באסטרטגיה ארגונית
bygreatest123
 
PDF
Press release EarthLab
byFinmeccanica
 
PDF
Suborbital Research Platforms of the Future
byFinmeccanica
 
PDF
Usaid graphic standards_manual
byYusran Afandi Dkv
 
PPTX
Prueba unica periodo 1
byCorrea Andres
 
PPTX
Cardiovascular Diseases by Philip
byStephanie Sawyer, M.S.
 
PDF
Presentatie wijzingen energielabels w en u
byGert Harm ten Bolscher
 
PPT
Flower
bymaricarmen46
 
PDF
Centri Spaziali
byFinmeccanica
 
PDF
Mundo colorido nº12 Junho 2012 - Tintas 2000, Tintas Marilina, A&F
bypintaracasa
 
PDF
What To Expect From Apple At WWDC 2014
byAffle mTraction Enterprise
 
PDF
Mundo colorido - Nº 13, 2013 - Tintas 2000, Tintas Marilina, A&F
bypintaracasa
 
PPT
Flower
bymaricarmen46
 
DOCX
02 periféricos pc
byxxxburroviejoxxx
 
PDF
Magento Growth Hacking Strategy
byBun Danny
 
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 
MWC 2015 - Day 3
byAffle mTraction Enterprise
 
ענב גנד גלילי - על אלמנט ההפתעה באסטרטגיה ארגונית
bygreatest123
 
Press release EarthLab
byFinmeccanica
 
Suborbital Research Platforms of the Future
byFinmeccanica
 
Usaid graphic standards_manual
byYusran Afandi Dkv
 
Prueba unica periodo 1
byCorrea Andres
 
Cardiovascular Diseases by Philip
byStephanie Sawyer, M.S.
 
Presentatie wijzingen energielabels w en u
byGert Harm ten Bolscher
 
Flower
bymaricarmen46
 
Centri Spaziali
byFinmeccanica
 
Mundo colorido nº12 Junho 2012 - Tintas 2000, Tintas Marilina, A&F
bypintaracasa
 
What To Expect From Apple At WWDC 2014
byAffle mTraction Enterprise
 
Mundo colorido - Nº 13, 2013 - Tintas 2000, Tintas Marilina, A&F
bypintaracasa
 
Flower
bymaricarmen46
 
02 periféricos pc
byxxxburroviejoxxx
 
Magento Growth Hacking Strategy
byBun Danny
 

Similar to InsecureDirectObjectReferences

PDF
OWASP TOP 10 by Team xbios
byVi Vek
 
PDF
owasp-top-10 presentation dhs ad health .
bySoner ÇELİK, CEH, PMP
 
PDF
Data security in the age of GDPR – most common data security problems
byExove
 
PDF
Security Awareness
byLucas Hendrich
 
PPTX
OWASP top 10-2013
bytmd800
 
PDF
OWASP Top 10
byArthur Shvetsov
 
PDF
Jonathan Singer - Wheezing The Juice.pdf
byJonathan Singer
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
PDF
2013 OWASP Top 10
bybilcorry
 
PPTX
Software Development Weaknesses - SecOSdays Sofia, 2019
byBalázs Tatár
 
PPTX
Securing the Web @RivieraDev2016
bySumanth Damarla
 
PPTX
owasp top 10 security risk categories and CWE
byArun Voleti
 
PDF
Broken access controls
byAkansha Kesharwani
 
PDF
Security testing-What can we do - Trinh Minh Hien
byHo Chi Minh City Software Testing Club
 
PPTX
OWASP
bygehad hamdy
 
PDF
Threats, Threat Modeling and Analysis
byIan G
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
PDF
Top 10 Bad Coding Practices Lead to Security Problems
byNarudom Roongsiriwong, CISSP
 
PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
OWASP TOP 10 by Team xbios
byVi Vek
 
owasp-top-10 presentation dhs ad health .
bySoner ÇELİK, CEH, PMP
 
Data security in the age of GDPR – most common data security problems
byExove
 
Security Awareness
byLucas Hendrich
 
OWASP top 10-2013
bytmd800
 
OWASP Top 10
byArthur Shvetsov
 
Jonathan Singer - Wheezing The Juice.pdf
byJonathan Singer
 
OWASP Top Ten in Practice
bySecurity Innovation
 
2013 OWASP Top 10
bybilcorry
 
Software Development Weaknesses - SecOSdays Sofia, 2019
byBalázs Tatár
 
Securing the Web @RivieraDev2016
bySumanth Damarla
 
owasp top 10 security risk categories and CWE
byArun Voleti
 
Broken access controls
byAkansha Kesharwani
 
Security testing-What can we do - Trinh Minh Hien
byHo Chi Minh City Software Testing Club
 
OWASP
bygehad hamdy
 
Threats, Threat Modeling and Analysis
byIan G
 
The path of secure software by Katy Anton
byDevSecCon
 
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
Top 10 Bad Coding Practices Lead to Security Problems
byNarudom Roongsiriwong, CISSP
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 

Recently uploaded

PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 

InsecureDirectObjectReferences

  • 1.
    Insecure Direct ObjectReferences Melissa Canazon How do you refer to secure information? IT6873 Information Security Seminar – Fall 2014
  • 2.
    A4-Insecure Direct Object References “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.” ~ OWASP * Formally defined by OWASP, but what does this mean?
  • 3.
    Path to Understanding Defining “Objects” Defining “References” Defining “Insecure” What does ‘insecure direct object reference’ mean? - examples How can it be used? Prevention Topic 1 Topic 2 Topic 3 Topic 4 Topic 5 Topic 6 Topic 7 How is it detected?
  • 4.
  • 5.
    OBJECTS data, information,files, images, video, resource, etc. *can be stored and retrieved in either an unprocessed or processed format
  • 6.
  • 7.
    REFERRING TO OBJECTS DIRECTORY www.directory.com OBJECT 1 www.directory.com/object1 OBJECT 2 www.directory.com/object2 OBJECT 3 www.directory.com/object3
  • 8.
  • 9.
    AUTHENTICATION vs AUTHORIZATION CERTIFIED AUTHENTIC USER
  • 10.
    Defining ‘Insecure DirectObject Reference’
  • 11.
  • 12.
    How Can YouUse Direct Object References? • inurl: admin • inurl:cgi • filetype: pdf • “auth_user_file.txt” • index of ftp +.mdb allinurl:/cgi-bin/ +mailto
  • 13.
    How Can YouUse Direct Object References?
  • 14.
    How Can YouUse Direct Object References? dot dot slash .../ • Moving down the directory • Some apps prevent this type of traversal, so alternately: • %2e%2e%2f which translates to ../ • %2e%2e/ which translates to ../ • ..%2f which translates to ../ • %2e%2e%5c which translates to ..
  • 15.
  • 16.
    Prevention Just afriendly reminder to developers: INPUT IS EVIL!
  • 17.
    INPUT IS EVIL Input can be malicious, always validate it before you trust it!
  • 18.
    User input Direct Reference USER SESSION Reference Mapping Indirect Resource Reference Web app sends resource User receives resource & indirect reference Web app receives request Reference Map Generated
  • 19.
  • 20.
    Check out A7- Missing Function Level Access Control! Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. ACCESS CONTROL
  • 21.
    Check out A10- Unvalidated Redirects and Forwards! Applications frequently redirect users to other pages, or use internal forwards in a similar manner. ACCESS CONTROL Sometimes the target page is specified in an un-validated parameter, allowing attackers to choose the destination page. Unsafe forwards may allow access control bypass. What if attackers can access internal only functions?
  • 23.
    OWASP Top 10Threats and Mitigations http://michaelpeters.org/quiz/ I challenge you to take the quiz and share your thoughts! Post in the discussion board! Thanks to Albena and Aaron for being my resource reviewers!
  • 24.
    REFERENCES 1. CWE-22:Improper Limitation of a Pathname to a Restricted Directory. 30 July 2014. CWE Common Weakness Enumeration. Retrieved from: http://cwe.mitre.org/data/definitions/22.html 2. CWE-639: Authorization Bypass Through User-Controlled Key. 30 July 2014. CWE Common Weakness Enumeration. Retrieved from: http://cwe.mitre.org/data/definitions/639.html 3. CWE-706: Use of incorrectly resolved name or reference. 30 July 2014. CWE Common Weakness Enumeration. Retrieved from: http://cwe.mitre.org/data/definitions/706.html 4. Hacking Websites Using Directory Traversal Attack. September 2012. HackingLoops.com. Retrieved from: http://www.hackingloops.com/2012/09/hacking-websites-using-directory-traversal-attacks. html 5. Melton, John. 10 May 2010. The OWASP Top 10 and ESAPI – Part 4 – Insecure Direct Object References. Retrieved from: http://www.jtmelton.com/2010/05/10/the-owasp-top-ten-and-esapi-part- 5-insecure-direct-object-reference/ 6. Mukherjee, Sumantro. 2 April 2013. Google Hacking: A Must Read Article. Hackshark. Retrieved from: http://hackshark.com/?p=1058#axzz3EgMnLtXk 7. OWASP. 8 AUGUST 2014. Testing for Insecure Direct Object References. Retrieved from: https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ- 004) 8. OWASP. 14 June 2013. Top 10 2013-A4-Insecure Direct Object References. Retrieved from: https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References 9. Peters, Michael. 25 December 2012. Pop Quiz! Test your OWASP knowledge and earn credit. MichaelPeters.org. Retrieved from: http://michaelpeters.org/quiz/ 10. Redkar, Vinesh. 13 June 2013. NOKIA – Insecure Direct Object Reference. AVs3curity. Retrieved from: http://avs3curity.blogspot.com/2013/06/nokia-insecure-direct-object-reference.html

Editor's Notes

  • #10 When a user is authenticated, they are given permission to access certain objects. An authenticated user does not have permission access all objects. In order to access an object, you must be authorized. Therefore, in order to access any object, you must be authenticated and authorized for that permission.