Wednesday, November 14, 2018
Why you should avoid Direct Object References
Because Direct Object References are insecure – Anytime your application exposes an internal identifier, such as a database key, a filename, or hashmap index, attackers may attempt to manipulate those identifiers to access unauthorized data. For example, if you pass untrusted data from the HTTP request to the Java File constructor, the attacker may use "../" or null byte attacks to trick your validation. You should consider using indirect references to your data, to prevent this type of attack. The OWASP ESAPI library has support for ReferenceMaps that facilitate this indirection.