MID-076: Web Direct Object Reference Authentication

Mitigation Tier: Foundational

Description

Every direct object reference should be governed by a session authentication and permission check [1]. Where possible, devices should use web application frameworks to host their files instead of hosting directly from their web servers. When using frameworks, ensure that all file formats associated with a web application (.txt, .pdf, documents) are being hosted on and managed by the framework [2].

Note: To learn more about session authentication, see MID-073 – Secure HTTP Session Management.

IEC 62443 4-2 Mappings

• ECR 2.1 – Authorization enforcement RE (1) Authorization enforcement for all users (humans, software processes and devices)

References

[1] OWASP. “Insecure Direct Object Reference Prevention Cheat Sheet.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html

[2] D. Tidmarsh. “Insecure Direct Object Reference (IDOR) Vulnerability Detection and Prevention.” eccouncil.org. Accessed: Aug. 28, 2024. [Online.] Available: https://www.eccouncil.org/cybersecurity-exchange/web-application-hacking/idor-vulnerability-detection-prevention/

MID-076