Summary
CISA and its partners recently released an advisory to warn vendors, designers, developers, and end-users of web applications about IDOR vulnerabilities, which are access control vulnerabilities that enable threat actors to modify or delete data. In addition, these vulnerabilities enable threat actors to access sensitive data by issuing requests to a web application programming interface (API) specifying the user identifier of valid users. These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers
Description & Consequence
Threat actors actively abuse IDOR vulnerabilities using automation tools to gain access to the sensitive information of millions of consumers. IDOR vulnerabilities are exploited by issuing requests to a website or web API specifying the user identifier of other, valid users. These attacks are usually made possible due to insufficient authentication and authorization checks. For example, an application or API may require an identifier such as an ID number, name, or key to directly access an object such as a database record; however, an attacker may have a valid ID number, name, or key.
The IDOR vulnerabilities can give rise to the possibility of any or all of the following:
- Horizontal IDOR vulnerabilities which occurs when a user can access data that they should not be able to access at the same privilege level (e.g., other user’s data).
- Vertical IDOR vulnerabilities which occurs when a user can access data that they should not be able to access because the data requires a higher privilege level.
- Object-level IDOR vulnerabilities which occurs when a user can modify or delete an object that they should not be able to modify or delete.
- Function-level IDOR vulnerabilities which occurs when a user can access a function or action that they should not be able to access.
Solution
Vendors, designers, developers, and implementors of web applications are advised to do the following to reduce the prevalence of IDOR vulnerabilities.
- Build adequate authentication and authorization checks for any request that modifies, deletes, or accesses data, implement secure-by-design principles, and follow cybersecurity best practices.
- Secure coding practices should be followed, such as ensuring that identifiers are not exposed in URLs and configuring applications to deny access by default and performing authentication and authorization checks for every request to modify, delete, or access sensitive data.
- CAPTCHA is recommended for limiting automated invalid user requests and code reviews to check for backdoors, malicious content, and logic flaws, and to verify compliance with security requirements.
- Organizations should develop and maintain a cyber incident response and communication plan that can be implemented immediately in the event of a cyber incident or data breach.
- Organizations should exercise due diligence when selecting web applications and apply patches as soon as they become available.
- Configure applications to log and generate alerts from tamper attempts—with this information, network defenders can investigate and take appropriate follow-on actions.
Reference
- https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-and-partners-release-joint-cybersecurity-advisory-preventing-web-application-access-control
- https://csrc.nist.gov/pubs/sp/800/218/final
- https://media.defense.gov/2023/Jul/27/2003269443/-1/-1/0/JOINT-CSA-PREVENTING-WEB-APPLICATION-ACCESS-CONTROL-ABUSE.PDF
Revision
