OWASP Top 10 for .NET developers part 4: Insecure direct object refs

added by troyhunt
9/7/2010 7:10:18 AM


Consider for a moment the sheer volume of information that sits out there on the web and is accessible by literally anyone. No authentication required, no subversive techniques need be employed, these days just a simple Google search can turn op all sorts of things. It’s no wonder developers often implement solutions with the full expectation it will only ever be accessed in the intended context, unaware (or unconcerned) that just a little bit of exploration and experimenting can open some fairly major holes in their app. This posts looks into the role insecure direct object references play and how .NET developers might secure their code against this vulnerability.