Home Guides Glossary

Insecure Direct Object References

Direct object references expose website or account-specific details, such as account numbers, file names, directories, or database keys, in the URL or other accessible sources. Displaying sensitive information in the URL might be a security vulnerability if your website is not configured to verify access for every account-specific page or action.

Attackers might exploit direct object references by modifying URLs or other parameters to access accounts, hop directories, or discover other resources.

For example: Bill's Website displays usernames in the URL:
http://www.coolexample.com/accountInfo?acct=BILL123

A malicious user changes the account name in the URL in attempt to access another account.

If the website is not configured to verify access, the malicious user might gain unauthorized access to another account.

While referencing specific resources in the URL isn't necessarily a flaw, you should verify access for every request of an account-specific page or action. If you must use direct references in the URL, consider mapping the references to random per-account or per-session codes.

To learn more about insecure direct object references and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.

Domain Registration

Pay less for website domain names. Register your own .com, .net or .org for as low as $10.18 per year. We have everything you need to get online with your new domain.

Website Builder

For as little as $3.89 per month you can build your Website online with Website Builder using our easy to use professional templates. Play Video - Demo

Quick Shopping Cart

Build and run your own successful online store in minutes. You're just five easy steps away! Shopping Cart works with Google® and eBay® Play Video

Website Hosting

Everything needed to give your website the high-performance home it deserves.  Protect transactions and secure your customer's data with a SSL Certificate

Copyright © 2005 - 2017. All rights reserved. Privacy Policy