Search This Blog

Wednesday, November 14, 2018

Why you should avoid Direct Object References

Because Direct Object References are insecure – Anytime your application exposes an internal identifier, such as a database key, a filename, or hashmap index, attackers may attempt to manipulate those identifiers to access unauthorized data.  For example, if you pass untrusted data from the HTTP request to the Java File constructor, the attacker may use "../" or null byte attacks to trick your validation. You should consider using indirect references to your data, to prevent this type of attack. The OWASP ESAPI library has support for ReferenceMaps that facilitate this indirection.