Scribd
Upload
41 views

Direct Object Reference

The document discusses the security vulnerability of direct object reference. It occurs when an application exposes internal implementation details like database primary keys to unauthorized users. This allows users to directly access or modify other users' data they are not authorized for. The document provides examples of this occurring in messaging and financial applications. It recommends mitigations like authorization checks and using an indirection layer with randomized identifiers to map internal IDs to external ones visible to users.

Uploaded by

prince tega
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
41 views

Direct Object Reference

The document discusses the security vulnerability of direct object reference. It occurs when an application exposes internal implementation details like database primary keys to unauthorized users. This allows users to directly access or modify other users' data they are not authorized for. The document provides examples of this occurring in messaging and financial applications. It recommends mitigations like authorization checks and using an indirection layer with randomized identifiers to map internal IDs to external ones visible to users.

Uploaded by

prince tega
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 46

DIRECT OBJECT REFERENCE

DIRECT OBJECT REFERENCE

OWASP regularly compiles a list


of the top 10 security
vulnerabilities

#4 on this list is the Direct


Object Reference
DIRECT OBJECT REFERENCE

This did not even make the list


prior to 2004

Web applications have become more


complicated with different parts
of the application and different
data accessible to each user
DIRECT OBJECT REFERENCE

This vulnerability exists in an


application if it exposes an internal
implementation detail to the user
DIRECT OBJECT REFERENCE
This vulnerability exists in an
application if it exposes an internal
implementation detail to the user

This could be a database key, a file


name, the name of an object -
anything
DIRECT OBJECT REFERENCE

Let’s take an example

A site allows users to send


messages to each other
DIRECT OBJECT REFERENCE
All messages are stored in a
database - a simple one like this

ID FROM TO MESSAGE
103 a@gmail.com jan@gmail.com Hi how are you?

104 wer123@yahoo.com jeff@email.com Shall I see you in an hour?

This is a long message, hope


105 toby@hotmail.com glenn@hotmail.com
you’re doing well..

106 jane@gmail.com verna@hotmail.com Thank you for your help!


DIRECT OBJECT REFERENCE
ID FROM TO MESSAGE
103 a@gmail.com jan@gmail.com Hi how are you?

104 wer123@yahoo.com jeff@email.com Shall I see you in an hour?


This is a long message, hope
105 toby@hotmail.com glenn@hotmail.com
you’re doing well..
106 jane@gmail.com verna@hotmail.com Thank you for your help!

A message id is a unique auto


incremented value for every message,
used to identify a message
DIRECT OBJECT REFERENCE
ID FROM TO MESSAGE
103 a@gmail.com jan@gmail.com Hi how are you?

104 wer123@yahoo.com jeff@email.com Shall I see you in an hour?


This is a long message, hope
105 toby@hotmail.com glenn@hotmail.com
you’re doing well..
106 jane@gmail.com verna@hotmail.com Thank you for your help!

These are from and to fields, other


fields like timestamp etc have been left
out for simplicity
DIRECT OBJECT REFERENCE
ID FROM TO MESSAGE
103 a@gmail.com jan@gmail.com Hi how are you?

104 wer123@yahoo.com jeff@email.com Shall I see you in an hour?


This is a long message, hope
105 toby@hotmail.com glenn@hotmail.com
you’re doing well..
106 jane@gmail.com verna@hotmail.com Thank you for your help!

And actual message contents


DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102

This is the URL to access one particular


message
DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102

If the user is not logged in, this URL


forces him to the login page for the site
DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102

On logging in a session variable is set


up which stores the user id

This indicates that the user has logged


in for this session
DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102

The message id is used to uniquely


identify the message to view
DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102
154

This should allow the user to view the


message with the unique id 154
DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102
154

As the user goes through the messages


in his inbox - the message id in the URL
changes to reflect the different
messages he has received
DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102
154

But what if message id 154 did not


have the current user in either its from
or to fields?
DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102
154

We’ve basically allowed a user to view


messages in our database which do not
belong to him!
DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102
154

The message id is an internal


implementation detail of the system,
and the URL exposes this to the user
DIRECT OBJECT REFERENCE
http://trustedmail.com/messages/?id=102
154

This is a direct object reference to an


internal object
DIRECT OBJECT REFERENCE

Here is an example from the real


world - this is something which
actually happened
DIRECT OBJECT REFERENCE

Some years ago a financial company


ended up inadvertently exposing
financial data of its members

to other members who were not


authorized to view it
DIRECT OBJECT REFERENCE
Say you were logged and
authenticated to your pension account

http://www.trustedfinancialsite.com/
viewdetails.php/?account_id=1234

This page showed you all details


of your retirement funds
DIRECT OBJECT REFERENCE
http://www.trustedfinancialsite.com/
viewdetails.php/?account_id=1234

The account you view is


specified by this URL parameter
DIRECT OBJECT REFERENCE
http://www.trustedfinancialsite.com/
viewdetails.php/?account_id=1234

Now if you edited the URL


parameter to change the
account id
DIRECT OBJECT REFERENCE
http://www.trustedfinancialsite.com/
8123
viewdetails.php/?account_id=1234

The company’s site let you access


the details of the other account!
DIRECT OBJECT REFERENCE
http://www.trustedfinancialsite.com/
8123
viewdetails.php/?account_id=1234

There was no additional check to


see whether you were authorized to
view those account details!
DIRECT OBJECT REFERENCE
http://www.trustedfinancialsite.com/
8123
viewdetails.php/?account_id=1234

The account id is an internal


implementation detail of the code
DIRECT OBJECT REFERENCE
http://www.trustedfinancialsite.com/
8123
viewdetails.php/?account_id=1234

Exposing this information


compromised millions of accounts
linked to that financial company
DIRECT OBJECT REFERENCE
Mitigation
DIRECT OBJECT REFERENCE
Mitigation

1. Authorization
2. Indirection Layer

3. Randomized Identifiers
DIRECT OBJECT REFERENCE
Mitigation - Authorization

A direct object reference


vulnerability of this kind has a
basic authorization problem
DIRECT OBJECT REFERENCE
Mitigation - Authorization

Authorization refers to what a


user has access to

what data,
what components of a site
DIRECT OBJECT REFERENCE
Mitigation - Authorization

In the messages example or in the


pension account example a simple
check would have sufficed for
authorization
DIRECT OBJECT REFERENCE
Mitigation - Authorization
Does the message have the user in
the to, from or cc field?

Is the current user the owner of


that pension account?
DIRECT OBJECT REFERENCE
Mitigation

1. Authorization
2. Indirection Layer

3. Randomized Identifiers
DIRECT OBJECT REFERENCE
Mitigation - Indirection Layer
Internal ids and objects should not
be exposed to the user directly

Instead a separate layer can map the


internal ids to externally visible ids
DIRECT OBJECT REFERENCE
Mitigation - Indirection Layer
Instead a separate layer can map the
internal ids to externally visible ids

LOCAL PER-USER MAPPING ID


0 103

1 104

2 105

3 106
DIRECT OBJECT REFERENCE
Mitigation - Indirection Layer
LOCAL PER-USER MAPPING ID
0 103

1 104

2 105

3 106

Each user will have a specific id


which maps to the message id
DIRECT OBJECT REFERENCE
Mitigation - Indirection Layer
LOCAL PER-USER MAPPING ID
0 103

1 104

2 105

3 106

The keys of this map is what will


display in the URL parameter
DIRECT OBJECT REFERENCE
Mitigation - Indirection Layer
LOCAL PER-USER MAPPING ID
0 103

1 104

2 105

3 106

A map like this should be generated


for every user
DIRECT OBJECT REFERENCE
Mitigation - Indirection Layer
LOCAL PER-USER MAPPING ID
0 103

1 104

2 105

3 106

So no user can even try and access


messages he is not authorized to
DIRECT OBJECT REFERENCE
Mitigation

1. Authorization
2. Indirection Layer

3. Randomized Identifiers
DIRECT OBJECT REFERENCE
Mitigation - Randomized Identifiers

Instead of using predictable, auto-


incremented ids the identifiers
could also be randomly generated
DIRECT OBJECT REFERENCE
Mitigation - Randomized Identifiers

This by itself is not enough


mitigation but can be used along
with the other techniques
DIRECT OBJECT REFERENCE
Mitigation

1. Authorization
2. Indirection Layer

3. Randomized Identifiers

You might also like