Insecure Direct Object Reference:
- Insecure direct object references occurs when the applications provides direct access to objects based on user supplied input.
- This means when objects are not used securely by developer then the attacker can try to change the values in URL and doing this the user will be able to view/edit information of other users which ideally he should not be able to view/edit information.
- eg: suppose there are two types of users i) normal user ii) admin user then when normal user opens site and changes the value of value in URL then he will be able to view information of admin and can able to edit information of his as well.
- e.g: This is website link www.abc/a.php?id=1111 by opening this link we will get information of normal user when user is able to edit his details.
- But when attacker changes the value of id as 1288 as mentioned below www.abc/a.php?id=1288 then he will be able to view admins page when he can update admins information.
- So this occurs when objects are not handled by developer, and attacker will be able to view/edit database records, files information etc.
No comments:
Post a Comment