Cybersecurity agencies in Australia and the U.S. have published a joint cybersecurity advisory warning against security flaws in web applications that could be exploited by malicious actors to orchestrate data breach incidents and steal confidential data.
This includes a specific class of bugs called Insecure Direct Object Reference (IDOR), a type of access control flaw that occurs when an application utilizes user-supplied input or an identifier for direct access to an internal resource, such as a database record, without any additional validations.
"IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users," the agencies said. "These requests succeed where there is a failure to perform adequate authentication and authorization checks."
The authoring entities – the Australian Signals Directorate's Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA) – noted that such flaws are being abused by adversaries to compromise the personal, financial, and health information of millions of users and consumers.
To mitigate such threats, it's recommended that vendors, designers, and developers adopt secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
This includes a specific class of bugs called Insecure Direct Object Reference (IDOR), a type of access control flaw that occurs when an application utilizes user-supplied input or an identifier for direct access to an internal resource, such as a database record, without any additional validations.
"IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users," the agencies said. "These requests succeed where there is a failure to perform adequate authentication and authorization checks."
The authoring entities – the Australian Signals Directorate's Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA) – noted that such flaws are being abused by adversaries to compromise the personal, financial, and health information of millions of users and consumers.
To mitigate such threats, it's recommended that vendors, designers, and developers adopt secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.