NSA & CISA joint advisory for Web Application Access Control Abuse

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) released a joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about Insecure Direct Object Reference (IDOR) vulnerabilities.

What is an IDOR/BOLA & Why it’s dangerous?

IDOR also known as Broken Object Level Authorization (BOLA) are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.

These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers. As a matter of fact, BOLA is #1 in the OWASP API Top-10 list in 2023 as well as 2019.

ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of to reduce prevalence of IDOR flaws and protect sensitive data in their systems.

The details of the advisory can be found here: Preventing Web Application Access Control Abuse | CISA

Mitigation

Considering the potential impact of IDOR/BOLA vulnerabilities, it’s critical that organizations take steps to secure their web applications/APIs. Here are some essential security measures that can help mitigate the risk:

• Implement Strong Access Controls: Configure applications to deny access by default and ensure the application performs authentication and authorization checks for every request to modify data, delete data, and access sensitive data. Ensure that access controls are enforced at every level of the application. Use role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms to restrict user permissions to authorized resources and objects.
• Input Validation and Sanitization: Thoroughly sanitize all user-supplied input to prevent attackers from injecting malicious data and exploiting BOLA (IDOR) vulnerabilities. Especially protect all Object IDs – they shouldn’t be exposed in the URLs. Replace them with a cryptographic strong random value – like UUID/GUID.
• Secure Coding Practices: Train developers in secure coding practices to avoid common mistakes that could lead to BOLA (IDOR) vulnerabilities. Perform code reviews and security testing during the development process.
  Use Rate Limits & Captcha’s to limit user requests where feasible.
• Regular Security Testing: Conduct regular security assessments, such as penetration testing and vulnerability scanning, to identify and remediate potential BOLA (IDOR) vulnerabilities.

Conclusion

IDOR/BOLA vulnerabilities remain a significant threat to web applications. Their potential impact on tampering the application’s business logic OR expose sensitive data should not be underestimated. By understanding the risks associated with IDOR/BOLA and adopting proactive security measures, organizations can better protect their web applications and the data they handle. Collaboration between development, security and operations professionals is essential to create a robust security posture that can withstand evolving cyber threats.

We should take this advisory from NSA & CISA as a wake-up call and work together to bolster our web application security. By doing so, we can safeguard sensitive data, protect our users, and build trust in the burgeoning digital ecosystem.

Frequently Asked Questions