Popular website vulnerabilities: why are they dangerous and how to avoid them?
For anyone who owns a website, security should come first. Critical threats and vulnerabilities can severely impact both your reputation and your finances.
In this series of articles, we will highlight five popular types of security vulnerabilities that any website may encounter, and share methods used to find vulnerabilities, scan a site for vulnerabilities, protect against attacks.
IDOR: a simple and very dangerous vulnerability
IDOR (Insecure Direct Object Reference) is a vulnerability that could allow unauthorized access to web pages or files. The most common case of IDOR is for an attacker to enumerate a predictable identifier, thereby gaining access to someone else’s data. IDOR is an application that is on the OWASP (Open Web Application Security Project) top 10 vulnerabilities list.
For an example, let’s say you register on the website of a large online store. As you fill in your contact information, you’ll see a link in the browser bar like this:
examplesite.com/user/details/edit?id=39082331
examplesite.com/transaction.php?id=74656
The personal identification number (id = 39082331) plays the main role here. As an experiment, you decide to change the last digit and suddenly – you see a page with someone else’s contact information you can edit.
A malicious hacker may try to replace the id parameter values 39082331 and 74656 with similar values, for example:
examplesite.com/user/details/edit?id=39082332
examplesite.com/transaction.php?id=74657
Thus, you can read and change the contact information of all registered users by simply repeating the id number in the URL. The problem is that when making a request to the site it does not check if the data belongs to a particular visitor.
What can this lead to?
– Disclosure of confidential information. Attackers gaining access to user accounts will see personal data.
– Bypass authentication: With this vulnerability, you can access hundreds or thousands of accounts simultaneously.
– Modifying data: An attacker can edit your contact information and use it for their own purposes. For example, sending orders to your home with a change of address in an online store.
– Account hijacking. In some cases, this way you can steal user accounts, steal money from their balance and cause many more problems.
How to protect yourself
It is always useful to remember that the data received in the HTTP request is unreliable. It should be noted that if your site needs to display certain pages based on some values from incoming requests, such requests must be validated.
– it is necessary to check whether there are rights for the specified page or action.
– check whether the account or service belongs to an authorized user;
– using hard-to-guess or random numbering identifiers;
– use the identifier’s signature.
It should be noted that automated solutions cannot detect IDOR vulnerabilities yet.
