TID-324: HTTP Direct Object Reference

Threat Description

If a device does not properly authenticate all HTTP requests, a threat actor can directly send a request to a specific URL to access data or initiate a device function. This could be used to access/download sensitive data or perform unwanted changes to settings or functions on a device. This typically requires that the threat actor directly knows the URL of the specific file/object/page, rather than depending on the existing links provided by the web application. This is especially problematic for files hosted on a web server (e.g., txt, pdf) since the authentication mechanisms provided by the web application framework may not enforce access controls on those files.

Threat Maturity and Evidence

Known Exploitable Weakness
Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability
“Telerik UI for ASP.NET AJAX contains an insecure direct object reference vulnerability in RadAsyncUpload that can result in file uploads in a limited location and/or remote code execution.”

CWE

CWE-639: Authorization Bypass Through User-Controlled Key
“The system’s authorization functionality does not prevent one user from gaining access to another user’s data or record by modifying the key value identifying the data.”

CVE

Iagona ScrutisWeb - CVE-2023-38257
“Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insecure direct object reference vulnerability that could allow an unauthenticated user to view profile information, including user login names and encrypted passwords.”