Task #11409
Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation
Pentest_Web_CDB (M1) - Insecure Direct Object Reference (IDOR)
| Status: | Work Completed-End life cycle | Start date: | December 01, 2020 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Nurul Athira Abdul Rahim | % Done: | 100% | |
| Category: | Pentest | Spent time: | - | |
| Target version: | - |
Description
Insecure direct object reference occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files. Insecure direct object reference allows attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
Given solution :
Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):
1. Use per user or session indirect object references. This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server.
2. Check access for each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.
History
#1
Updated by Najmi Pasarudin almost 4 years ago
- Assignee changed from Najmi Pasarudin to Nurul Hasnieza Bt Mohd Zamri
#2
Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
#3
Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- % Done changed from 0 to 70
#4
Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- File estatement set invalid acc num.PNG added
- File trnxHistory set invalid acc num.PNG added
- File screen display error message.png added
- Status changed from Development / Work In Progress to Finished Development
- % Done changed from 70 to 80
#5
Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- Status changed from Finished Development to Internal Testing
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim
Hi Athira,
account number validation at Account Summary has been updated. Kindly find the attachment for the testing result.
#6
Updated by Nurul Athira Abdul Rahim over 3 years ago
- Assignee changed from Nurul Athira Abdul Rahim to Erni Suhaireen Zulkifli
#7
Updated by Nurul Athira Abdul Rahim over 3 years ago
- Status changed from Internal Testing to System Integration Test
- Assignee changed from Erni Suhaireen Zulkifli to Nurul Athira Abdul Rahim
#8
Updated by Nurul Athira Abdul Rahim about 3 years ago
- Status changed from System Integration Test to Work Completed-End life cycle
- % Done changed from 80 to 100
Updated from JTM :
1st assessment pentest expired.
Pending for 2nd scanning report