Frequently Asked Questions

Insecure Direct Object References

Print this Article
Last Updated: June 1, 2011 3:46 PM

Direct object references expose website or account-specific details, such as account numbers, file names, directories, or database keys, in the URL or other accessible sources. Displaying sensitive information in the URL might be a security vulnerability if your website is not configured to verify access for every account-specific page or action.

Attackers might exploit direct object references by modifying URLs or other parameters to access accounts, hop directories, or discover other resources.

For example: Bill's site displays usernames in the URL:
http://www.coolexample.com/accountInfo?acct=BILL123

A malicious user changes the account name in the URL in attempt to access another account.

If the website is not configured to verify access, the malicious user might gain unauthorized access to another account.

While referencing specific resources in the URL isn't necessarily a flaw, you should verify access for every request of an account-specific page or action. If you must use direct references in the URL, consider mapping the references to random per-account or per-session codes.

To learn more about insecure direct object references and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.