The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) released a joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about Insecure Direct Object Reference (IDOR) vulnerabilities.
IDOR also known as Broken Object Level Authorization (BOLA) are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.
These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers. As a matter of fact, BOLA is #1 in the OWASP API Top-10 list in 2023 as well as 2019.
ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of to reduce prevalence of IDOR flaws and protect sensitive data in their systems.
The details of the advisory can be found here: Preventing Web Application Access Control Abuse | CISA
Considering the potential impact of IDOR/BOLA vulnerabilities, it’s critical that organizations take steps to secure their web applications/APIs. Here are some essential security measures that can help mitigate the risk:
IDOR/BOLA vulnerabilities remain a significant threat to web applications. Their potential impact on tampering the application’s business logic OR expose sensitive data should not be underestimated. By understanding the risks associated with IDOR/BOLA and adopting proactive security measures, organizations can better protect their web applications and the data they handle. Collaboration between development, security and operations professionals is essential to create a robust security posture that can withstand evolving cyber threats.
We should take this advisory from NSA & CISA as a wake-up call and work together to bolster our web application security. By doing so, we can safeguard sensitive data, protect our users, and build trust in the burgeoning digital ecosystem.