• Webpage provides direct access to objects based on user supplied data.
• Attackers can bypass authorization and access resources in the system by changing the value of a parameter used to directly point to an object.
• Attacker can access user profiles, files, etc.

Testing

• Map locations where objects are referred directly.
• Modify the value and check if it is possible to retrieve information
• Have two or more accounts to try to access different objects of each other

…/?id=5, if you change id=6 and you can see content for user 6, then it is vulnerable.

Prevention

• Object reference should be random and unique per user or session: ↑complexity ↑time to guess
• Ensure user is authorized to request the object by checking the access

References

• https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)
• https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References