Insecure Direct Object References

When a critical resource in your application (an object, file or database key) is not subject to access control, this provides an opportunity for attackers who can use these unprotected resources and gain access to confidential information which may not belong to them.

The attack could be carried out simply, by changing a parameter value that refers to an object for which the user hasn’t the necessary authorization.

In the sample below, let’s suppose that an account-retrieval page has the following logic on the server side:

String query = "SELECT * FROM user_accounts WHERE account = ?"; PreparedStatement pstmt = connection.prepareStatement(query , … ); pstmt.setString( 1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( );

An attacker can simply change the acct variable that was passed in via the page’s query string to verify details on an account he does not own!

http://example.com/app/accountInfo?acct=some_other_acct Prevention Measures

To protect against this threat, the only viable solution is to secure objects via access control. The logged-in user needs to be authorized for the requested information before the server responds a query even when the underlying session is pre-authenticated.

For example, in above case you can make that query to retrieve accounts rather more intelligent by providing the context of the logged in user session:

String query = “SELECT * FROM user_accounts WHERE account = ? and userId = “loggedInUser_OrgId” “;