The National Security Agency (NSA) has partnered with U.S. and international cyber agencies to release the Cybersecurity Advisory (CSA), “Preventing Web Application Access Control Abuse,” warning that vulnerabilities in web applications, including application programming interfaces (APIs), can allow malicious actors to manipulate and access sensitive data.
Malicious cyber actors can abuse web applications and APIs to compromise sensitive data, potentially affecting web applications and cloud-based services used by National Security Systems (NSS), the Department of Defense (DoD), and the Defense Industrial Base (DIB).
The partnering agencies, including the Australian Cyber Security Centre (ACSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and NSA, offer guidance for vendors, designers, developers, and consumer organizations to mitigate insecure direct object reference (IDOR) vulnerabilities in web applications.
“These commonly exploited vulnerabilities are difficult to mitigate once software is operating in a customer network,” said Neal Ziring, NSA Cybersecurity Technical Director. “This is why developers need to be aware of these kinds of vulnerabilities: they can have high impact by including the kinds of checks described in the advisory, and reduce prevalence of these flaws at scale.”
IDOR vulnerabilities are access control vulnerabilities in web applications that enable malicious actors to modify, delete, or access sensitive data. Exploiting these vulnerabilities can potentially impact any web application, including those deployed in:
- On-premises software deployed and installed locally at an organization.
- Software as a Service (SaaS) used for cloud-based applications.
- Infrastructure as a Service (IaaS) used for cloud-based computing resources.
- Private cloud models proprietary to the organization’s infrastructure.
The report contains technical details about IDOR vulnerabilities and recommended mitigations for anyone involved in the development, usage, management, and administration of web applications, including those built and deployed just for internal use.
According to the advisory, vulnerable applications or APIs use an identifier (e.g., ID number, name, or key) to directly access an object (e.g., database record) but do not properly check the authentication or authorization of the user submitting the request. ACSC, CISA, and NSA recommend organizations follow the mitigations in this CSA to prevent exploitation of IDOR vulnerabilities and protect sensitive data in their systems.
Mitigations in the CSA for web application developers, both for vendors and for in-house development, include:
- Implement secure by design and default principles.
- Follow secure coding practices, such as using indirect reference maps, input parameter normalization and verification, and CAPTCHAs.
- Conduct code reviews and testing using automated code analysis and testing tools.
- Train personnel for secure software development.
Mitigations in the CSA for end-user organizations include:
- Select web applications that demonstrate commitment to secure-by-design and -default principles.
- Apply software patches for web applications as soon as possible.
- Configure applications to log and alert on tampering attempts.
- Conduct regular penetration testing and vulnerability scanning to ensure web applications are secure and to detect IDOR or other vulnerabilities.