Identification and Illustration of Insecure Direct Object References and their Countermeasures
|
10.5120/20082-2148 |
Ajay Kumar Shrestha, Pradip Singh Maharjan and Santosh Paudel. Article: Identification and Illustration of Insecure Direct Object References and their Countermeasures. International Journal of Computer Applications 114(18):39-44, March 2015. Full text available. BibTeX
@article{key:article,
author = {Ajay Kumar Shrestha and Pradip Singh Maharjan and Santosh Paudel},
title = {Article: Identification and Illustration of Insecure Direct Object References and their Countermeasures},
journal = {International Journal of Computer Applications},
year = {2015},
volume = {114},
number = {18},
pages = {39-44},
month = {March},
note = {Full text available}
}
Abstract
The insecure direct object reference simply represents the flaws in the system design without the full protection mechanism for the sensitive system resources or data. It basically occurs when the web application developer provides direct access to objects in accordance with the user input. So any attacker can exploit this web vulnerability and gain access to privileged information by bypassing the authorization. The main aim of this paper is to demonstrate the real effect and the identification of the insecure direct object references and then to provide the feasible preventive solutions such that the web applications do not allow direct object references to be manipulated by attackers. The experiment of the insecure direct object referencing is carried out using the insecure J2EE web application called WebGoat and its security testing is being performed using another JAVA based tool called BURP SUITE. The experimental result shows that the access control check for gaining access to privileged information is a very simple problem but at the same time its correct implementation is a tricky task. The paper finally presents some ways to overcome this web vulnerability.
References
- Owasp. org, 'Category:OWASP Project - OWASP', 2015. [Online]. Available: https://www. owasp. org/index. php/Category:OWASP_ Project. [Accessed: 20- Sep- 2014].
- Owasp. org, 'Top 10 2010-A4-Insecure Direct Object References - OWASP', 2015. [Online]. Available: https://www. owasp. org/index. php/Top_10_2010-A4. [Accessed: 20- Sep- 2014].
- Owasp. org, 'Top 10 2007-Insecure Direct Object Reference - OWASP', 2015. [Online]. Available: https://www. owasp. org/index. php/Top_10_2007-Insecure_Direct_Object_Reference. [Accessed: 20- Sep- 2014].
- ¬N. Antunes and M. Vieira, 'Defending against Web Application Vulnerabilities', Computer, vol. 45, no. 2, pp. 66-72, 2012.
- R. Eran, El. Yuval, R. Gil and T. Tom, 'System for determining web application vulnerabilities', US 6584569 B2, US 09/800,090, 2003.
- L. SHAR, L. Briand and H. Tan, 'Web Application Vulnerability Prediction using Hybrid Program Analysis and Machine Learning', IEEE Trans. Dependable and Secure Comput. , pp. 1-1, 2014.
- N. ElBachir El Moussaid and A. Toumanari, 'Web Application Attacks Detection: A Survey and Classification', International Journal of Computer Applications, vol. 103, no. 12, pp. 1-6, 2014.
- C. Yang and C. Shen, 'Implement Web Attack Detection Engine with Snort by Using Modsecurity Core Rules', The E-Learming and Information Technology Symposium Tainan, Taiwan, 1 April, 2009.
- M. Jensen, N. Gruschka and R. Herkenhoner, 'A Survey of Attacks on Web Services', Computer Science – Research and Development, vol. 24, no. 4, pp. 185-197, 2009.
- Wiki. archlinux. org, 'Tomcat - ArchWiki', 2015. [Online]. Available: https://wiki. archlinux. org/index. php/Tomcat. [Accessed: 20- Sep- 2014].
- J. Melton, 'The OWASP Top Ten and ESAPI – Part 4 – Insecure Direct Object Reference : John Melton's Weblog', Jtmelton. com, 2015. [Online]. Available: http://www. jtmelton. com/2010/05/10/the-owasp-top-ten-and-esapi-part-5-insecure-direct-object-reference/.