The Cybersecurity and Infrastructure Security Agency (CISA), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and National Security Agency (NSA) published a joint Cybersecurity Advisory (CSA) titled “Preventing Web Application Access Control Abuse." The joint CSA warns vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities that are frequently exploited by malicious actors. The CSA provides important guidance to reduce prevalence of IDOR flaws and vulnerabilities.
Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions. These vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed, allowing any user to use or modify the identifier. And these flaws and vulnerabilities are common, hard to prevent outside of the development process, and can be abused at scale in data breach incidents.
Click here to read the entire joint CSA.
Visit the Dam Sector webpage to view other up-to-date information and resources.