On July 27, 2023, The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) released an advisory “to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities.” The advisory primarily consists of recommended defensive measures to mitigate IDOR flaws, including:
- Vendors, designers, and developers of web application frameworks and web applications:
- Implement secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
- Use automated tools for code review to identify and remediate IDOR and other vulnerabilities.
- Use indirect reference maps, ensuring that IDs, names, and keys are not exposed in URLs. Replace them with cryptographically strong, random values—specifically use a universally unique identifier (UUID) or a globally unique identifier (GUID).
- Exercise due diligence when selecting third-party libraries or frameworks to incorporate into your application and keep all third-party frameworks and dependencies up to date.
- All end-user organizations, including organizations with software-as-a-service (SaaS) models:
- Use due diligence when selecting web applications. Follow best practices for supply chain risk management and only source from reputable vendors.
- Apply software patches for web applications as soon as possible.
- End-user organizations deploying on-premises software, infrastructure-as-a-service (IaaS), or private cloud models:
- Review the available authentication and authorization checks in web applications that enable modification of data, deletion of data, or access to sensitive data.
- Conduct regular, proactive vulnerability scanning and penetration testing to help ensure internet-facing web applications and network boundaries are secure.
The RH-ISAC intelligence team is collaborating with member analysts to determine if there is any evidence of a potential incident in open source or on the dark web that could indicate whether an incident involving IDOR vulnerabilities could have prompted the advisory. Thus far, there is no indication in open source or the dark web of any significant campaign or incident. The RH-ISAC intelligence team will update the community with any additional information as it arises.