A new advisory released by CISA is warning vendors, designers, developers and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities.

In a joint cybersecurity advisory released last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and U.S. National Security Agency (NSA) warned of breach risks from IDOR web app vulnerabilities.

“IDOR vulnerabilities, which can lead to unauthorized access or modification of sensitive data, are a substantial risk, resulting in alarming consequences such as identity theft, financial loss and reputational damage,” says Saeed Abbasi, Manager of Vulnerability and Threat Research at Qualys.

In the release, the ACSC, CISA and NSA are encouraging vendors, designers, developers and end-user organizations to implement recommendations found within the Mitigations section of the advisory.

Security leaders weigh in

Saeed Abbasi, Manager of Vulnerability and Threat Research at Qualys

“In combatting IDOR, it's essential to have proper authorization checks and indirect object references in place. A comprehensive defense strategy against IDOR cyber threats involves a blend of proactive and reactive measures. It begins by embracing the principle of least privilege, enforcing strict input validation and conducting regular code reviews, penetration testing and developer security training, thereby setting up a robust proactive defense wall. Simultaneously, initiating threat modeling, implementing rate limiting, deploying powerful authorization frameworks, applying secure session management and employing encryption techniques to protect sensitive data is essential. The strategy is fortified by the critical role of monitoring and anomaly detection systems, ensuring a resilient and dynamic response to ever-evolving threats.

“Along with these measures, innovative approaches like gamification of security training, cultivating a culture of security mindfulness and using AI-powered security tools can significantly boost the prevention of IDOR vulnerabilities. Simultaneously, applying vulnerability management tools ensures automated detection, prioritization and remediation of vulnerabilities, enhancing the organization's security posture.”

Mike Parkin, Senior Technical Engineer at Vulcan Cyber

“The key to these vulnerabilities is right in the name of the function: insecure direct object reference (IDOR).  While there are legitimate use cases where they're perfectly valid and don't add unacceptable security risks, the fact that they are insecure by default means their use should be limited. The recommendation from ACSC, CISA and the NSA is what developers should have been doing already.

“Security best practices would have developers use IDOR sparingly and never in a case where a user could compromise the system just by manipulating the calls.  Everything in this joint recommendation are things the developers should already be doing. It's basic secure coding practice, not rocket science.”

Casey Ellis, Founder and CTO at Bugcrowd

“IDOR is a very common vulnerability that provides an attacker access to data they shouldn’t be able to see. It’s also very simple to abuse. As an example, if a website is vulnerable to IDOR, simply changing or incrementing a numeric value in the URL of a logged-in user number will provide access to a different user’s information.

“The timing and nature of the announcement is interesting — This is very explicit AppSec-focused guidance, which is unusual for ACSC/CISA/NSA advisories, but I suspect it was prompted by the Optus breach in 2022 which saw the details of a large percentage of the Australian population stolen because of a combination of poor API security and the presence of IDOR.”