Top 10 2007-Insecure Direct Object Reference - Revision history

Wichers at 02:42, 19 April 2010

2010-04-19T02:42:43Z

Wichers at 13:21, 25 September 2009

2009-09-25T13:21:04Z

KirstenS: Undo revision 52136 by KirstenS (Talk)

2009-01-27T01:44:36Z

Undo revision 52136 by KirstenS (Talk)

KirstenS: /* Vulnerability */

2009-01-27T01:43:56Z

‎Vulnerability

KirstenS: /* Vulnerability */

2009-01-27T01:42:54Z

‎Vulnerability

KirstenS: /* Vulnerability */

2009-01-27T01:42:32Z

‎Vulnerability

KirstenS at 01:41, 27 January 2009

2009-01-27T01:41:52Z

KirstenS: /* References */

2008-12-07T17:55:12Z

‎References

KirstenS: /* References */

2008-12-07T17:34:43Z

‎References

KirstenS: /* References */

2008-09-21T00:02:56Z

‎References

@@ Line 1: / Line 1: @@
 {{Top_10_2007:TopTemplate|usenext=NextLink|next=-Cross Site Request Forgery|useprev=PrevLink|prev=-Malicious File Execution|usemain=MainLink|main=}}
 A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. An attacker can manipulate direct object references to access other objects without authorization, unless an access control check is in place.
@@ Line 72: / Line 71: @@
 {{Top_10_2007:BottomTemplate|usenext=NextLink|next=-Cross Site Request Forgery|useprev=PrevLink|prev=-Malicious File Execution|usemain=MainLink|main=}}

@@ Line 61: / Line 61: @@
 *[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4369 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4369]
 *[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0229 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0229]
 == References ==
-*CWE: CWE-22 (Path Traversal), CWE-472 (Web Parameter Tampering)
+*CWE: [http://cwe.mitre.org/data/definitions/639.html CWE-639 (Access Control Bypass Through User-Controlled Key)] - What OWASP refers to as an Insecure Direct Object Reference.
-*WASC Threat Classification: [http://www.webappsec.org/projects/threat/classes/abuse_of_functionality.shtml http://www.webappsec.org/projects/threat/classes/abuse_of_functionality.shtml], [http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml]
+*CWE: [http://cwe.mitre.org/data/definitions/22.html CWE-22 (Path Traversal)] - An example of a direct object reference is a filename parameter, which the user could manipulate to access unauthorized files, even in completely different directories.
-*OWASP Testing Guide, [[Testing for business logic   (OWASP-BL-001)|Testing for business logic]]
+*WASC Threat Classification: http://www.webappsec.org/projects/threat/classes/abuse_of_functionality.shtml, http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml
 *OWASP Testing Guide, [[Testing for Path Traversal  (OWASP-AZ-001)|Testing for Path Traversal]]
 *OWASP [[:Category:Access_Control_Vulnerability|Access Control Vulnerability]]
 {{Top_10_2007:BottomTemplate|usenext=NextLink|next=-Cross Site Request Forgery|useprev=PrevLink|prev=-Malicious File Execution|usemain=MainLink|main=}}

@@ Line 22: / Line 22: @@
   <code>require_once ($_REQUEST['language’]."lang.php");</code>
-Such code can be attacked using a string like "../../../../etc/passwd%00" using [[Data_Validation|null byte injection]] (see the [[Category:OWASP_Guide_Project|OWASP Development Guide]] for more information) to access any file on the web server’s file system.
+Such code can be attacked using a string like "../../../../etc/passwd%00" using [[Data_Validation|null byte injection]] (see the [[OWASP_Guide_Project|OWASP Development Guide]] for more information) to access any file on the web server’s file system.
 Similarly, references to database keys are frequently exposed. An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature. In the example below, even if an application does not present any links to unauthorized carts, and no SQL injection is possible, an attacker can still change the cartID parameter to whatever cart they want.

@@ Line 22: / Line 22: @@
   <code>require_once ($_REQUEST['language’]."lang.php");</code>
-Such code can be attacked using a string like "../../../../etc/passwd%00" using [[Data_Validation|null byte injection]] (see the [[OWASP_Guide_Project|OWASP Development Guide]] for more information) to access any file on the web server’s file system.
+Such code can be attacked using a string like "../../../../etc/passwd%00" using [[Data_Validation|null byte injection]] (see the [[Category:OWASP_Guide_Project|OWASP Development Guide]] for more information) to access any file on the web server’s file system.
 Similarly, references to database keys are frequently exposed. An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature. In the example below, even if an application does not present any links to unauthorized carts, and no SQL injection is possible, an attacker can still change the cartID parameter to whatever cart they want.

@@ Line 22: / Line 22: @@
   <code>require_once ($_REQUEST['language’]."lang.php");</code>
-Such code can be attacked using a string like "../../../../etc/passwd%00" using [[Data_Validation|null byte injection]] (see the [{OWASP_Guide_Project|OWASP Development Guide]] for more information) to access any file on the web server’s file system.
+Such code can be attacked using a string like "../../../../etc/passwd%00" using [[Data_Validation|null byte injection]] (see the [[OWASP_Guide_Project|OWASP Development Guide]] for more information) to access any file on the web server’s file system.
 Similarly, references to database keys are frequently exposed. An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature. In the example below, even if an application does not present any links to unauthorized carts, and no SQL injection is possible, an attacker can still change the cartID parameter to whatever cart they want.

@@ Line 67: / Line 67: @@
 *WASC Threat Classification: [http://www.webappsec.org/projects/threat/classes/abuse_of_functionality.shtml http://www.webappsec.org/projects/threat/classes/abuse_of_functionality.shtml], [http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml]
 *OWASP Testing Guide, [[Testing for business logic]]
-*OWASP Testing Guide, [[Testing for Path Traversal]]
+*OWASP Testing Guide, [[Testing for Path Traversal  (OWASP-AZ-001)|Testing for Path Traversal]]
 *OWASP [[:Category:Access_Control_Vulnerability|Access Control Vulnerability]]
 *GST Assist attack details, [http://www.abc.net.au/7.30/stories/s146760.htm http://www.abc.net.au/7.30/stories/s146760.htm]