Description

Retrieval of a user record occurs in the system based on some key value that is under user control (e.g. a value the user submits or a URL string that can be manipulated by the user). The key would typically identify a user related record stored in the system and would be used to lookup that record for presentation to the user. It is likely that an attacker would have to be an authenticated user in the system. However, the authorization process would not properly check the data access operation to ensure that the authenticated user performing the operation has sufficient entitlements to perform the requested data access, hence bypassing any other authorization checks present in the system.

Examples

The application uses unverified data in a SQL call that is accessing account information:

String query = "SELECT * FROM accts WHERE account = ?"; 
PreparedStatement pstmt = connection.prepareStatement(query , ... );
pstmt.setString( 1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery();

The attacker simply modifies the ’acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account.

http://example.com/app/accountInfo?acct=notmyacct

Mitigation

Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):

Use per user or session indirect object references. This prevents attackers from directly targeting unauthorized resources.
Check access. Each use of a direct object reference from an un-trusted source must include an access control check to ensure the user is authorized for the requested object.