A4 – Insecure Direct Object References
Let's remember this definition:
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
For some scenarios, this requires the attacker (who happens to be a legitimate user of the site) to know something about the resource to be attacked in order to substitute the expected information (such as their user account) for the victim's information (in this case, another account number, for example).
The canonical example offered by OWASP recreates a scenario in which a query about an account is to be done using a SQL request:
String query = "SELECT * FROM accts WHERE account = ?"; PreparedStatement pstmt =connection.prepareStatement(query , … ); pstmt.setString( 1, request.getParameter("accountNo")); ResultSet results = pstmt.executeQuery( );
The...