Security Testing 简明教程

Insecure Direct Object References

A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which allows attackers to manipulate these references to access unauthorized data.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

insecure direct object reference

Example

The App uses unverified data in a SQL call that is accessing account information.

String sqlquery = "SELECT * FROM useraccounts WHERE account = ?";
PreparedStatement st = connection.prepareStatement(sqlquery, ??);
st.setString( 1, request.getParameter("acct"));
ResultSet results = st.executeQuery( );

The attacker modifies the query parameter in their browser to point to Admin.

http://webapp.com/app/accountInfo?acct=admin

Hands ON

Step 1 − Login to Webgoat and navigate to access control flaws Section. The goal is to retrieve the tomcat-users.xml by navigating to the path where it is located. Below is the snapshot of the scenario.

insecure direct object reference1

Step 2 − The path of the file is displayed in 'the current directory is' field - C:\Users\userName$\.extract\webapps\WebGoat\lesson_plans\en and we also know that the tomcat-users.xml file is kept under C:\xampp\tomcat\conf

Step 3 − We need to traverse all the way out of the current directory and navigate from C:\ Drive. We can perform the same by intercepting the traffic using Burp Suite.

insecure direct object reference2

Step 4 − 如果尝试成功,它将显示 tomcat-users.xml 并显示消息“恭喜。您已成功完成本课程。”

insecure direct object reference3

Preventive Mechanisms

开发人员可以使用以下资源/点作为指南,在开发阶段本身防止不安全的直接对象引用。

  1. 开发人员应仅对间接对象引用使用一个用户或会话。

  2. 还建议在使用来自不可信来源的直接对象引用之前检查访问权限。