CFP last date
20 January 2025
Reseach Article

Identification and Illustration of Insecure Direct Object References and their Countermeasures

by Ajay Kumar Shrestha, Pradip Singh Maharjan, Santosh Paudel
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 114 - Number 18
Year of Publication: 2015
Authors: Ajay Kumar Shrestha, Pradip Singh Maharjan, Santosh Paudel
10.5120/20082-2148

Ajay Kumar Shrestha, Pradip Singh Maharjan, Santosh Paudel . Identification and Illustration of Insecure Direct Object References and their Countermeasures. International Journal of Computer Applications. 114, 18 ( March 2015), 39-44. DOI=10.5120/20082-2148

@article{ 10.5120/20082-2148,
author = { Ajay Kumar Shrestha, Pradip Singh Maharjan, Santosh Paudel },
title = { Identification and Illustration of Insecure Direct Object References and their Countermeasures },
journal = { International Journal of Computer Applications },
issue_date = { March 2015 },
volume = { 114 },
number = { 18 },
month = { March },
year = { 2015 },
issn = { 0975-8887 },
pages = { 39-44 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume114/number18/20082-2148/ },
doi = { 10.5120/20082-2148 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T22:53:11.821601+05:30
%A Ajay Kumar Shrestha
%A Pradip Singh Maharjan
%A Santosh Paudel
%T Identification and Illustration of Insecure Direct Object References and their Countermeasures
%J International Journal of Computer Applications
%@ 0975-8887
%V 114
%N 18
%P 39-44
%D 2015
%I Foundation of Computer Science (FCS), NY, USA
Abstract

The insecure direct object reference simply represents the flaws in the system design without the full protection mechanism for the sensitive system resources or data. It basically occurs when the web application developer provides direct access to objects in accordance with the user input. So any attacker can exploit this web vulnerability and gain access to privileged information by bypassing the authorization. The main aim of this paper is to demonstrate the real effect and the identification of the insecure direct object references and then to provide the feasible preventive solutions such that the web applications do not allow direct object references to be manipulated by attackers. The experiment of the insecure direct object referencing is carried out using the insecure J2EE web application called WebGoat and its security testing is being performed using another JAVA based tool called BURP SUITE. The experimental result shows that the access control check for gaining access to privileged information is a very simple problem but at the same time its correct implementation is a tricky task. The paper finally presents some ways to overcome this web vulnerability.

References
  1. Owasp. org, 'Category:OWASP Project - OWASP', 2015. [Online]. Available: https://www. owasp. org/index. php/Category:OWASP_ Project. [Accessed: 20- Sep- 2014].
  2. Owasp. org, 'Top 10 2010-A4-Insecure Direct Object References - OWASP', 2015. [Online]. Available: https://www. owasp. org/index. php/Top_10_2010-A4. [Accessed: 20- Sep- 2014].
  3. Owasp. org, 'Top 10 2007-Insecure Direct Object Reference - OWASP', 2015. [Online]. Available: https://www. owasp. org/index. php/Top_10_2007-Insecure_Direct_Object_Reference. [Accessed: 20- Sep- 2014].
  4. ¬N. Antunes and M. Vieira, 'Defending against Web Application Vulnerabilities', Computer, vol. 45, no. 2, pp. 66-72, 2012.
  5. R. Eran, El. Yuval, R. Gil and T. Tom, 'System for determining web application vulnerabilities', US 6584569 B2, US 09/800,090, 2003.
  6. L. SHAR, L. Briand and H. Tan, 'Web Application Vulnerability Prediction using Hybrid Program Analysis and Machine Learning', IEEE Trans. Dependable and Secure Comput. , pp. 1-1, 2014.
  7. N. ElBachir El Moussaid and A. Toumanari, 'Web Application Attacks Detection: A Survey and Classification', International Journal of Computer Applications, vol. 103, no. 12, pp. 1-6, 2014.
  8. C. Yang and C. Shen, 'Implement Web Attack Detection Engine with Snort by Using Modsecurity Core Rules', The E-Learming and Information Technology Symposium Tainan, Taiwan, 1 April, 2009.
  9. M. Jensen, N. Gruschka and R. Herkenhoner, 'A Survey of Attacks on Web Services', Computer Science – Research and Development, vol. 24, no. 4, pp. 185-197, 2009.
  10. Wiki. archlinux. org, 'Tomcat - ArchWiki', 2015. [Online]. Available: https://wiki. archlinux. org/index. php/Tomcat. [Accessed: 20- Sep- 2014].
  11. J. Melton, 'The OWASP Top Ten and ESAPI – Part 4 – Insecure Direct Object Reference : John Melton's Weblog', Jtmelton. com, 2015. [Online]. Available: http://www. jtmelton. com/2010/05/10/the-owasp-top-ten-and-esapi-part-5-insecure-direct-object-reference/.
Index Terms

Computer Science
Information Sciences

Keywords

IDOR Web Application Authorization Access control Web exploit