2023-07-29
US and Australian Government Agencies Urge Check Web App Access Permissions
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) have published a joint cybersecurity advisory, Preventing Web Application Access Control Abuse. The document is designed “to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities.”
Editor's Note
These IDOR vulnerabilities were an entry in the OWASP top ten for many years, then were merged into Broken Access Control back in 2017. OWASP still has a good cheat sheet on IDOR at https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html
John Pescatore
The guidance comes down to suppliers using tools to detect insecure references, and using indirect reference maps to ensure IDs, Names, and keys are not exposed in URLs. Consumers evaluate web apps, prioritize those with best practices for SCRM, and keep them patched. Leverage OWASP and this guidance developing and accessing applications for security. IDOR is only one aspect of secure application development you need to track, don't get tunnel vision.
Lee Neely
Read more in
CISA: Preventing Web Application Access Control Abuse
The Register: Millions of people's data stolen because web devs forget to check access perms
Security Week: US, Australia Issue Warning Over Access Control Vulnerabilities in Web Applications
Bleeping Computer: CISA warns of breach risks from IDOR web app vulnerabilities