CISA Releases Advisory On Preventing Web Application Access Control Abuse

July 28, 2023 - Insecure direct object reference (IDOR) vulnerabilities in web applications pose a threat to organizations around the world, the Cybersecurity and Infrastructure Security Agency (CISA) warned in a joint cybersecurity advisory (CSA) issued alongside the National Security Agency (NSA) and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC).

CISA and its partners warned vendors, designers, developers, and end-users of web applications about IDOR vulnerabilities, which are access control vulnerabilities that enable threat actors to modify or delete data. In addition, these vulnerabilities enable threat actors to access sensitive data by issuing requests to a web application programming interface (API) specifying the user identifier of valid users.

“These requests succeed where there is a failure to perform adequate authentication and authorization checks,” the CSA noted.

“These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.”

There are several types of IDOR vulnerabilities to watch out for. The authoring entities provided the following definitions:

• Horizontal IDOR vulnerabilities occur when a user can access data that they should not be able to access at the same privilege level (e.g., other user’s data).
• Vertical IDOR vulnerabilities occur when a user can access data that they should not be able to access because the data requires a higher privilege level.
• Object-level IDOR vulnerabilities occur when a user can modify or delete an object that they should not be able to modify or delete.
• Function-level IDOR vulnerabilities occur when a user can access a function or action that they should not be able to access.

All of these vulnerabilities occur when an object identifier is exposed or easily guessed. What’s more, these vulnerabilities are particularly difficult to prevent since threat actors can use automation to detect them and they cannot be mitigated with a simple function.

CISA, NSA, and ACSC provided detailed lists of mitigation actions for end-user organizations, vendors, and developers, including special considerations for end-user organizations with on-premises software or private cloud models.

Vendors and developers were encouraged to conduct code reviews, implement secure-by-design principles, and configure applications to deny access by default and perform authorization checks.

On the end-user side, organizations were urged to “exercise due diligence when selecting web applications” and apply patches as soon as they become available. As always, organizations should maintain a cyber incident response plan to prepare for the event of a cyberattack.

These vulnerabilities once again highlight the importance of vulnerability management in all sectors.