What does this mean?
References to items like files, directories, database records, and keys are sometimes included in URL or form parameters. This is bad practice since a hacker could easily change the parameters, gaining access to files or directories that they should not be able to access. If a reference must be included as a URL parameter, a check should be in place to ensure that the user is actually allowed to view the content.
Who is vulnerable?
Any web application is potentially vulnerable.
How can it be prevented?
OWASP provides some good points on their site:
- Avoid exposing your private object references to users whenever possible, such as primary keys or filenames.
- Validate any private object references extensively with an "accept known good" approach.
- Verify authorization to all referenced objects
References:
No comments:
Post a Comment