Australian and U.S. cybersecurity agencies have issued a joint cybersecurity advisory cautioning against vulnerabilities in web applications that malicious actors could exploit to orchestrate data breaches and steal sensitive information.
The advisory highlights a class of bugs known as Insecure Direct Object Reference (IDOR), which are access control flaws. These flaws arise when an application relies on user-supplied input or identifiers to directly access internal resources, like database records, without adequate validation.
“IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorisation checks,” said the agencies.
According to the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA), these vulnerabilities are actively exploited by adversaries to compromise millions of users’ personal, financial, and health information.
The agencies recommend adopting secure-by-design and -default principles during software development to counter such threats. Proper authentication and authorisation checks should be implemented for every request that involves modifying, deleting, or accessing sensitive data.
Other counter-methods recommended by the agencies are as follows:
- Utilise automated tools for code review to identify and address IDOR and other vulnerabilities.
- Use indirect reference maps to safeguard IDs, names, and keys from URL exposure. Replace them with strong cryptographic, random values—specifically, consider using a universally unique identifier (UUID) or a globally unique identifier (GUID).
- Exercise due diligence while selecting third-party libraries or frameworks to incorporate into your application, and keep all third-party frameworks and dependencies up to date.
- Exercise due diligence while selecting web applications. Follow best supply chain risk management practices and procure only from reputable vendors.
- Apply software patches for web applications promptly.
- Evaluate the available authentication and authorisation checks in web applications that enable data modification, data deletion, or access to sensitive data.
- Conduct regular, proactive vulnerability scanning and penetration testing to ensure the security of internet-facing web applications and network boundaries.
This joint cybersecurity advisory serves as a crucial warning to businesses and organisations to prioritise security measures and take proactive steps to safeguard their web applications against potential cyber threats and data breaches.