HawkScan Test Info for Possible Insecure Direct Object References (IDOR)

Possible Insecure Direct Object References (IDOR)

Reference

Plugin Id: 421001 | CWE: 639

Remediation

To mitigate the risk of Insecure Direct Object References (IDOR) vulnerabilities in your OpenAPI specification, consider implementing the following measures:

  1. Proper Access Controls: Ensure that access controls are properly implemented and enforced. Use OpenAPI security schemes to define authentication and authorization requirements. For example, use OAuth2 security schemes for more granular control over access to API endpoints.

    securitySchemes:
      OAuth2:
        type: oauth2
        flows:
          authorizationCode:
            authorizationUrl: https://example.com/oauth/authorize
            tokenUrl: https://example.com/oauth/token
            scopes:
              read: Read access
              write: Write access
    
  2. Indirect Object References: Replace direct object references with indirect ones. Utilize a combination of unique, non-sequential IDs and user-specific tokens. In OpenAPI, define parameters that are not predictable.

    paths:
      /items/{itemId}:
        get:
          summary: Get an item
          parameters:
            - name: itemId
              in: path
              required: true
              schema:
                type: string
                format: uuid
    
  3. Context-based Access Controls: Define role-based access control in your OpenAPI specification. Utilize security scopes to restrict access based on user roles and the context of the request.

    paths:
      /admin/data:
        get:
          summary: Access admin data
          security:
            - OAuth2: [admin]
    
  4. Input Validation and Sanitization: In your OpenAPI spec, strictly define acceptable input formats, types, and lengths. Use regular expressions for pattern validation to ensure that only legitimate input is processed.

    parameters:
      - name: username
        in: query
        schema:
          type: string
          pattern: '^[a-zA-Z0-9]{5,12}$'
    
  5. Regular Security Testing and Code Reviews: Regularly test your API using tools that understand OpenAPI specifications. Automated testing can identify potential IDOR vulnerabilities based on your spec.

About

Insecure Direct Object References (IDOR) occur when an application allows direct access to objects based on user-supplied input. Recognized as a common security issue in web applications, IDOR vulnerabilities can lead to unauthorized access or actions. They were first highlighted in the OWASP 2007 Top Ten.

Risks

The risks associated with IDOR vulnerabilities include unauthorized access to sensitive data, privilege escalation, data manipulation or deletion, and legal/compliance implications. Addressing these vulnerabilities is crucial for maintaining data confidentiality, integrity, availability, and user trust.