Identification and Illustration of Insecure Direct Object References and their Countermeasures

Ajay Kumar Shrestha; Pradip Singh Maharjan; Santosh Paudel

Call for Paper

January Edition

IJCA solicits high quality original research papers for the upcoming January edition of the journal. The last date of research paper submission is 20 December 2024

Submit your paper

Know more

The week's pick

Improved Shuffled Frog Leaping Algorithm with Self-Adaptive Shuffling for Fuzzy Logic PD+G Controller Optimization in Robotic Manipulators

Duc Hoang Nguyen

Random Articles

Object Detection System using Arduino and Android Application for Visually Impaired People

Sep

2018

Geometric Mean based Algorithm for Prioritizing Processors on Cloud Environment

June

2015

A COBIT5 Framework for IoT Risk Management

Jul

2017

Texture based Emotion Recognition from Facial Expressions using Support Vector Machine

October

2013

Reseach Article

Identification and Illustration of Insecure Direct Object References and their Countermeasures

by Ajay Kumar Shrestha, Pradip Singh Maharjan, Santosh Paudel

International Journal of Computer Applications

Foundation of Computer Science (FCS), NY, USA

Volume 114 - Number 18

Year of Publication: 2015

Authors: Ajay Kumar Shrestha, Pradip Singh Maharjan, Santosh Paudel

10.5120/20082-2148

Ajay Kumar Shrestha, Pradip Singh Maharjan, Santosh Paudel . Identification and Illustration of Insecure Direct Object References and their Countermeasures. International Journal of Computer Applications. 114, 18 ( March 2015), 39-44. DOI=10.5120/20082-2148

@article{ 10.5120/20082-2148,

author = { Ajay Kumar Shrestha, Pradip Singh Maharjan, Santosh Paudel },

title = { Identification and Illustration of Insecure Direct Object References and their Countermeasures },

journal = { International Journal of Computer Applications },

issue_date = { March 2015 },

volume = { 114 },

number = { 18 },

month = { March },

year = { 2015 },

issn = { 0975-8887 },

pages = { 39-44 },

numpages = {9},

url = { https://ijcaonline.org/archives/volume114/number18/20082-2148/ },

doi = { 10.5120/20082-2148 },

publisher = {Foundation of Computer Science (FCS), NY, USA},

address = {New York, USA}

}

%0 Journal Article

%1 2024-02-06T22:53:11.821601+05:30

%A Ajay Kumar Shrestha

%A Pradip Singh Maharjan

%A Santosh Paudel

%T Identification and Illustration of Insecure Direct Object References and their Countermeasures

%J International Journal of Computer Applications

%@ 0975-8887

%V 114

%N 18

%P 39-44

%D 2015

%I Foundation of Computer Science (FCS), NY, USA

Abstract

The insecure direct object reference simply represents the flaws in the system design without the full protection mechanism for the sensitive system resources or data. It basically occurs when the web application developer provides direct access to objects in accordance with the user input. So any attacker can exploit this web vulnerability and gain access to privileged information by bypassing the authorization. The main aim of this paper is to demonstrate the real effect and the identification of the insecure direct object references and then to provide the feasible preventive solutions such that the web applications do not allow direct object references to be manipulated by attackers. The experiment of the insecure direct object referencing is carried out using the insecure J2EE web application called WebGoat and its security testing is being performed using another JAVA based tool called BURP SUITE. The experimental result shows that the access control check for gaining access to privileged information is a very simple problem but at the same time its correct implementation is a tricky task. The paper finally presents some ways to overcome this web vulnerability.

References

Owasp. org, 'Category:OWASP Project - OWASP', 2015. [Online]. Available: https://www. owasp. org/index. php/Category:OWASP_ Project. [Accessed: 20- Sep- 2014].
Owasp. org, 'Top 10 2010-A4-Insecure Direct Object References - OWASP', 2015. [Online]. Available: https://www. owasp. org/index. php/Top_10_2010-A4. [Accessed: 20- Sep- 2014].
Owasp. org, 'Top 10 2007-Insecure Direct Object Reference - OWASP', 2015. [Online]. Available: https://www. owasp. org/index. php/Top_10_2007-Insecure_Direct_Object_Reference. [Accessed: 20- Sep- 2014].
¬N. Antunes and M. Vieira, 'Defending against Web Application Vulnerabilities', Computer, vol. 45, no. 2, pp. 66-72, 2012.
R. Eran, El. Yuval, R. Gil and T. Tom, 'System for determining web application vulnerabilities', US 6584569 B2, US 09/800,090, 2003.
L. SHAR, L. Briand and H. Tan, 'Web Application Vulnerability Prediction using Hybrid Program Analysis and Machine Learning', IEEE Trans. Dependable and Secure Comput. , pp. 1-1, 2014.
N. ElBachir El Moussaid and A. Toumanari, 'Web Application Attacks Detection: A Survey and Classification', International Journal of Computer Applications, vol. 103, no. 12, pp. 1-6, 2014.
C. Yang and C. Shen, 'Implement Web Attack Detection Engine with Snort by Using Modsecurity Core Rules', The E-Learming and Information Technology Symposium Tainan, Taiwan, 1 April, 2009.
M. Jensen, N. Gruschka and R. Herkenhoner, 'A Survey of Attacks on Web Services', Computer Science – Research and Development, vol. 24, no. 4, pp. 185-197, 2009.
Wiki. archlinux. org, 'Tomcat - ArchWiki', 2015. [Online]. Available: https://wiki. archlinux. org/index. php/Tomcat. [Accessed: 20- Sep- 2014].
J. Melton, 'The OWASP Top Ten and ESAPI – Part 4 – Insecure Direct Object Reference : John Melton's Weblog', Jtmelton. com, 2015. [Online]. Available: http://www. jtmelton. com/2010/05/10/the-owasp-top-ten-and-esapi-part-5-insecure-direct-object-reference/.

Index Terms

Computer Science

Information Sciences

Keywords

IDOR Web Application Authorization Access control Web exploit