Home Guides Glossary

Insecure Direct Object References

Direct object references expose website or account-specific details, such as account numbers, file names, directories, or database keys, in the URL or other accessible sources. Displaying sensitive information in the URL might be a security vulnerability if your website is not configured to verify access for every account-specific page or action.

Attackers might exploit direct object references by modifying URLs or other parameters to access accounts, hop directories, or discover other resources.

For example: Bill's Website displays usernames in the URL:
http://www.coolexample.com/accountInfo?acct=BILL123

A malicious user changes the account name in the URL in attempt to access another account.

If the website is not configured to verify access, the malicious user might gain unauthorized access to another account.

While referencing specific resources in the URL isn't necessarily a flaw, you should verify access for every request of an account-specific page or action. If you must use direct references in the URL, consider mapping the references to random per-account or per-session codes.

To learn more about insecure direct object references and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.

Domain Registration

Pay less for website domain names. Register your own .com, .net or .org for as low as $10.18 per year. We have everything you need to get online with your new domain.

Website Builder

Build an amazing website in just under an hour with Website Builder. Take advantage of designs created just for your industry and then customize them to reflect your one-of-a-kind idea.

Website Security

Protect your website and keep customers safe. Your comprehensive Website Security solution. Get peace of mind by securing your websites.

cPanel Hosting

Everything needed to give your website the high-performance home it deserves.  Protect transactions and secure your customer's data with a SSL Certificate
Copyright © 2005 - 2024.  All rights reserved.  Privacy Policy