5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
9.3 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
51.5%
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.
These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.
ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce prevalence of IDOR flaws and protect sensitive data in their systems.
Download the PDF version of this report:
AA23-208A Preventing Web Application Access Control Abuse (PDF, 587.80 KB )
IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications [apps] using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions.
Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessed—allowing any user to use or modify the identifier.
These vulnerabilities are common[1] and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools. These factors place end-user organizations at risk of data leaks (where information is unintentionally exposed) or large-scale data breaches (where a malicious actor obtains exposed sensitive information). Data leaks or breaches facilitated by IDOR vulnerabilities include:
ACSC, CISA, and NSA recommend that vendors, designers, and implementors of web applications—including organizations that build and deploy software (such as HR tools) for their internal use and organizations that create open-source projects—implement the following mitigations. These mitigations may reduce prevalence of IDOR vulnerabilities in software and help ensure products are secure-by-design and -default.
For more information, see the joint Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Developers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.
Additionally, ACSC, CISA, and NSA recommend following cybersecurity best practices in production and enterprise environments. Software developers are high-value targets because their customers deploy software on their own trusted networks. For best practices, see:
ACSC, CISA, and NSA recommend that all end-user organizations, including those with on-premises software, SaaS, IaaS, and private cloud models, implement the mitigations below to improve their cybersecurity posture.
For more information, see the Enduring Security Framework’s Securing the Software Supply Chain: Recommended Practices Guide for Customers, CISA’s Supply Chain Risk Management Essentials, and ACSC’s Cyber Supply Chain Risk Management.
HTTP 404
and HTTP 403
are associated with common enumeration techniques.Additionally, ACSC, CISA, and NSA recommend following cybersecurity practices. For best practices, see ACSC’s Essential Eight, CISA’s CPGs, and NSA’s Top Ten Cybersecurity Mitigation Strategies.
ACSC, CISA, and NSA recommend that organizations:
ACSC, CISA, and NSA recommend that organizations with on-premises software or IaaS consider using SaaS models for their internet-facing websites.
Organizations leveraging SaaS with sufficient resources may consider conducting penetration testing and using vulnerability scanners. However, such tests may interfere with service provider operations. Organizations should consult with their legal counsel as appropriate to determine what can be included in the scope of the penetration testing.
If you or your organization are victim to a data breach or cyber incident, follow relevant cyber incident response and communications plans, as appropriate.
[1] A01 Broken Access Control - OWASP Top 10:2021
[2] A massive ‘stalkerware’ leak puts the phone data of thousands at risk
[3] Mobile device monitoring services do not authenticate API requests
[4] Behind the stalkerware network spilling the private phone data of hundreds of thousands
[5] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records
[6] Biggest Data Breaches in US History [Updated 2023]
[7] AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison
[8] Fuzzing | OWASP Foundation
The information in this report is being provided “as is” for informational purposes only. ACSC, CISA, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States or Australian Governments, and this guidance shall not be used for advertising or product endorsement purposes.
This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
csrc.nist.gov/publications/detail/sp/800-218/final
datatracker.ietf.org/doc/html/rfc4122
kb.cert.org/vuls/id/229438
kb.cert.org/vuls/id/229438
krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/
krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/
media.defense.gov/2019/Jul/16/2002158046/-1/-1/0/DDD-190716-666-071.PDF
media.defense.gov/2019/Jul/16/2002158046/-1/-1/0/DDD-190716-666-071.PDF
media.defense.gov/2022/Nov/17/2003116445/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_CUSTOMER.PDF
media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF
nvd.nist.gov/vuln/detail/CVE-2022-0732
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf
owasp.org/Top10/A01_2021-Broken_Access_Control/
owasp.org/Top10/A01_2021-Broken_Access_Control/
owasp.org/www-community/Fuzzing
owasp.org/www-community/Fuzzing
owasp.org/www-community/Fuzzing
owasp.org/www-project-proactive-controls/v3/en/c2-leverage-security-frameworks-libraries#:~:text=Use%20libraries%20and%20frameworks%20from%20trusted%20sources%20that,Proactively%20keep%20libraries%20and%20components%20up%20to%20date.
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
techcrunch.com/2021/10/19/stalkerware-security-phone-data-thousands/
techcrunch.com/2021/10/19/stalkerware-security-phone-data-thousands/
techcrunch.com/2022/02/22/stalkerware-network-spilling-data/
techcrunch.com/2022/02/22/stalkerware-network-spilling-data/
twitter.com/CISAgov
twitter.com/intent/tweet?text=Preventing%20Web%20Application%20Access%20Control%20Abuse+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-208a
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/report
www.cisa.gov/resources-tools/resources/cisa-scrm-essentials
www.cisa.gov/resources-tools/resources/cisa-scrm-essentials
www.cisa.gov/resources-tools/resources/secure-by-design-and-default
www.cisa.gov/resources-tools/resources/secure-by-design-and-default
www.cisa.gov/resources-tools/resources/secure-by-design-and-default
www.cisa.gov/sbom
www.cisa.gov/sbom
www.cisa.gov/sites/default/files/2023-02/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf
www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf
www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf
www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/communications-sector
www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/financial-services-sector
www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
www.cyber.gov.au/report-and-recover/report
www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/preparing-and-responding-cyber-incidents
www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/vulnerability-disclosure-programs-explained
www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/vulnerability-disclosure-programs-explained
www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management
www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management
www.cyber.gov.au/sites/default/files/2023-03/ACSC Cyber Incident Readiness Checklist_A4.pdf
www.cyber.gov.au/sites/default/files/2023-03/ACSC Cyber Incident Response Plan Guidance_A4.pdf
www.cyber.gov.au/threats/types-threats/data-breaches
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-208a&title=Preventing%20Web%20Application%20Access%20Control%20Abuse
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-208a
www.nist.gov/cyberframework
www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/data-breach-response-plan
www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-208a
www.upguard.com/blog/biggest-data-breaches-us
www.upguard.com/blog/biggest-data-breaches-us
www.usa.gov/
www.whitehouse.gov/
www.wired.com/2013/03/att-hacker-gets-3-years/
www.wired.com/2013/03/att-hacker-gets-3-years/
www.youtube.com/@cisagov
mailto:?subject=Preventing%20Web%20Application%20Access%20Control%20Abuse&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-208a
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
9.3 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
51.5%