Joint Advisory Warns of Threat From IDOR Vulnerabilities
Vendors, designers and developers of web applications and organizations using web applications take heed—insecure direct object reference (IDOR) vulnerabilities are a major threat, the Cybersecurity and Infrastructure Security Agency (CISA) recently warned.
“IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users,” CISA said in a joint cybersecurity advisory from Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), CISA and the U.S. National Security Agency (NSA). “These requests succeed where there is a failure to perform adequate authentication and authorization checks.”
“IDOR vulnerabilities, which can lead to unauthorized access or modification of sensitive data, are a substantial risk, resulting in alarming consequences such as identity theft, financial loss and reputational damage,” said Saeed Abbasi, manager of vulnerability and threat research at Qualys.
“IDOR is a very common vulnerability that provides an attacker access to data they shouldn’t be able to see. It’s also very simple to abuse,” said Casey Ellis, founder and CTO at Bugcrowd. “As an example, if a website is vulnerable to IDOR, simply changing or incrementing a numeric value in the URL of a logged-in user (e.g. https://www.bugcrowd.com/user?id=12345) number will provide access to a different user’s information.”
And these vulnerabilities are a frequent choice of bad actors “because they are common, hard to prevent outside the development process and can be abused at scale,” the advisory said. “IDOR vulnerabilities have resulted in the compromise of personal, financial and health information of millions of users and consumers,” according to the advisory.
The security bodies pointed to a number of IDOR vulnerabilities that organizations should look for:
- Horizontal, in which users can access data they shouldn’t be able to and at the same privilege level.
- Vertical, in which users can access data at a higher level that they shouldn’t be able to.
- Object-level, in which users can modify or delete objects when they shouldn’t be able to.
- Function-level, in which users can access functions or actions they shouldn’t be able to.
“Typically, these vulnerabilities exist because an object identifier is exposed, passed externally or easily guessed—allowing any user to use or modify the identifier,” the advisory said, noting that, for instance:
- In body manipulation, an actor modifies the HTML form field data in the body of a POST request to impact targeted records.
- In URL tampering, an actor modifies an identifier in URLs to impact targeted records.
- In cookie ID manipulation, the actor modifies an identifier in a cookie to an identifier of a different user (including administrative users) in an attempt to gain access to that account.
- In HTTP/JSON request tampering, an actor uses a web proxy to intercept and alter arbitrary portions of legitimate requests, including values inside JSON objects.
The agencies offered a set of recommendations for vendors, designers, developers and end-user organizations to implement “to reduce the prevalence of IDOR flaws and protect sensitive data in their systems.”
These vendors, designers and developers of web application frameworks and web applications should employ secure-by-design and -default principles as well as “ensure software performs authentication and authorization checks for every request that modifies, deletes and accesses sensitive data.” Those efforts should include:
- Using automated tools for code review to identify and remediate IDOR and other vulnerabilities.
- Using indirect reference maps, ensuring that IDs, names, and keys are not exposed in URLs. Replacing them with cryptographically strong, random values—specifically, use a universally unique identifier (UUID) or a globally unique identifier (GUID).
- Exercising due diligence when selecting third-party libraries or frameworks to incorporate into your application and keeping all third-party frameworks and dependencies up to date.
For end-user organizations, including organizations with software-as-a-service (SaaS) models, the recommendations include:
- Using due diligence when selecting web applications. Follow best practices for supply chain risk management and only source from reputable vendors.
- Applying software patches for web applications as soon as possible.
For end-user organizations deploying on-premises software, infrastructure-as-a-service (IaaS) or private cloud models, the agencies recommend:
- Reviewing the available authentication and authorization checks in web applications that enable modification of data, deletion of data or access to sensitive data.
- Conducting regular, proactive vulnerability scanning and penetration testing to help ensure internet-facing web applications and network boundaries are secure.
“The key to these vulnerabilities is right in the name of the function: insecure direct object reference (IDOR),” said Mike Parkin, senior technical engineer at Vulcan Cyber.
“While there are legitimate use cases where they’re perfectly valid and don’t add unacceptable security risks, the fact that they are insecure by default means their use should be limited,” said Parkin. “The recommendation here from ACSC [Australian Signals Directorate’s Australian Cyber Security Centre], CISA and the NSA is what developers should have been doing already.”
Abbasi added that, “in combatting IDOR, it’s essential to have proper authorization checks and indirect object references in place. A comprehensive defense strategy against IDOR cybersecurity threats involves a blend of proactive and reactive measures.”
He noted that “it begins by embracing the principle of least privilege, enforcing strict input validation and conducting regular code reviews, penetration testing and developer security training, thereby setting up a robust proactive defense wall.”
Ellis called the timing and nature of joint advisory “interesting,” and noted that “this is very explicit AppSec-focused guidance, which is unusual for ACSC/CISA/NSA advisories.” He said the advisory was likely “prompted by the Optus breach in 2022, which saw the details of a large percentage of the Australian population stolen because of a combination of poor API security and the presence of IDOR.”