CISA Releases Guidance on Preventing Web Application Access Control Abuse
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) have issued a joint cybersecurity advisory warning about insecure direct object reference (IDOR) vulnerabilities in web applications and web application programming interfaces (APIs).
Threat actors actively seek IDOR vulnerabilities as they are common and can be abused at scale using automation tools to gain access to the sensitive information of millions of consumers. IDOR vulnerabilities are access control vulnerabilities that can be exploited by issuing requests to a website or web API specifying the user identifier of other, valid users. These attacks are usually made possible due to insufficient authentication and authorization checks.
For example, an application or API may require an identifier such as an ID number, name, or key to directly access an object such as a database record; however, an attacker may have a valid ID number, name, or key. In addition to an identifier, an application or API should also check the authentication or authorization of the user submitting the request.
There are different types of IDOR vulnerabilities. Horizontal IDOR vulnerabilities allow a user to access data that they should not be able to access at the same privilege level, such as another user’s data. Vertical IDOR vulnerabilities are when a user can access data that should be restricted to users with higher privilege levels. Object-level IDOR vulnerabilities are where a user can modify or delete an object they should not be able to, and function-level IDOR vulnerabilities are where a user can access a function or perform an action they should not be able to. These vulnerabilities typically exist because an object identifier is exposed, passed externally, or can easily be guessed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
IDOR vulnerabilities are difficult to identify outside of the development process and cannot be mitigated with a single function. It is therefore vital for vendors, developers, and web designers to build adequate authentication and authorization checks for any request that modifies, deletes, or accesses data, implement secure-by-design principles, and follow cybersecurity best practices.
CISA, NSA, and ACSC have shared mitigations for vendors, designers, developers, and implementors of web applications to reduce the prevalence of IDOR vulnerabilities. In addition to implementing secure-by-design principles and best practices at all stages of the software development life cycle, secure coding practices should be followed, such as ensuring that identifiers are not exposed in URLs and configuring applications to deny access by default and performing authentication and authorization checks for every request to modify, delete, or access sensitive data. The agencies also recommend CAPTCHA for limiting automated invalid user requests and code reviews to check for backdoors, malicious content, and logic flaws, and to verify compliance with security requirements.
CISA, NSA, and ACSC have also detailed cybersecurity best practices for end-user organizations for improving their cybersecurity posture and recommend developing an incident response and communication plan that can be implemented immediately in the event of a cyber incident or data breach.
