Login Start Free Trial Login Start Free Trial
 

Possible Insecure Direct Object References (IDOR)

Possible Insecure Direct Object References (IDOR)

Possible Insecure Direct Object References (IDOR)

Reference

Plugin Id: 421001 | CWE: 639

Resources

Remediation

To mitigate the risk of Insecure Direct Object References (IDOR) vulnerabilities in your OpenAPI specification, consider implementing the following measures:

  1. Proper Access Controls: Ensure that access controls are properly implemented and enforced. Use OpenAPI security schemes to define authentication and authorization requirements. For example, use OAuth2 security schemes for more granular control over access to API endpoints.

    securitySchemes:
  OAuth2:
    type: oauth2
    flows:
      authorizationCode:
        authorizationUrl: https://example.com/oauth/authorize
        tokenUrl: https://example.com/oauth/token
        scopes:
          read: Read access
          write: Write access

  2. Indirect Object References: Replace direct object references with indirect ones. Utilize a combination of unique, non-sequential IDs and user-specific tokens. In OpenAPI, define parameters that are not predictable.

    paths:
  /items/{itemId}:
    get:
      summary: Get an item
      parameters:
        - name: itemId
          in: path
          required: true
          schema:
            type: string
            format: uuid

  3. Context-based Access Controls: Define role-based access control in your OpenAPI specification. Utilize security scopes to restrict access based on user roles and the context of the request.

    paths:
  /admin/data:
    get:
      summary: Access admin data
      security:
        - OAuth2: [admin]

  4. Input Validation and Sanitization: In your OpenAPI spec, strictly define acceptable input formats, types, and lengths. Use regular expressions for pattern validation to ensure that only legitimate input is processed.

    parameters:
  - name: username
    in: query
    schema:
      type: string
      pattern: '^[a-zA-Z0-9]{5,12}$'

  5. Regular Security Testing and Code Reviews: Regularly test your API using tools that understand OpenAPI specifications. Automated testing can identify potential IDOR vulnerabilities based on your spec.

About

Insecure Direct Object References (IDOR) occur when an application allows direct access to objects based on user-supplied input. Recognized as a common security issue in web applications, IDOR vulnerabilities can lead to unauthorized access or actions. They were first highlighted in the OWASP 2007 Top Ten.

Risks

The risks associated with IDOR vulnerabilities include unauthorized access to sensitive data, privilege escalation, data manipulation or deletion, and legal/compliance implications. Addressing these vulnerabilities is crucial for maintaining data confidentiality, integrity, availability, and user trust.