A4 Insecure Direct Object References

A4 INSECURE DIRECT OBJECT REFERENCE

Introduction

Insecure Direct Object Reference is where some if not all of the website is able to be access without any proper authentication or input. Some examples will be tranversing the different directory that is in the server through parent directory or going to the URL of the website manually to skip past the login screen. This can cause the entire directory to be recorded by the attackers and dowloaded to the attacker's machine.

Tools needed:

BurpSuite

Video

Insecure Direct Object Reference

Other possible methods:

Some tips of solving the vulnerability is to:

Check for the session cookie before allowing access
Do an authorisation before allowing user to commense a sensitive function
Block or redirect all traffic to the home page if there is no session cookie

Home