Insecure Direct Object References

Direct object references expose website or account-specific details, such as account numbers, file names, directories, or database keys, in the URL or other accessible sources. Displaying sensitive information in the URL might be a security vulnerability if your website is not configured to verify access for every account-specific page or action.

Attackers might exploit direct object references by modifying URLs or other parameters to access accounts, hop directories, or discover other resources.

For example: Bill's site displays usernames in the URL:
http://www.coolexample.com/accountInfo?acct=BILL123

A malicious user changes the account name in the URL in attempt to access another account.

If the website is not configured to verify access, the malicious user might gain unauthorized access to another account.

While referencing specific resources in the URL isn't necessarily a flaw, you should verify access for every request of an account-specific page or action. If you must use direct references in the URL, consider mapping the references to random per-account or per-session codes.

To learn more about insecure direct object references and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.


Oliko tästä artikkelista hyötyä?
Thanks for your feedback. To speak with a customer service representative, please use the support phone number or chat option above.
Kiva, että meistä oli apua. Voimmeko tehdä jotain muuta?
Olen pahoillani asiasta. Tell us what was confusing or why the solution didn’t solve your problem.