Cybersecurity agencies in Australia and the U.S. have published a joint cybersecurity advisory warning against security flaws in web applications that could be exploited by malicious actors to orchestrate data breach incidents and steal confidential data.
This includes a specific class of bugs called Insecure Direct Object Reference (IDOR), a type of access control flaw that occurs when an application utilizes user-supplied input or an identifier for direct access to an internal resource, such as a database record, without any additional validations.
A typical example of an IDOR flaw is the ability of a user to trivially change the URL (e.g., https://example[.]site/details.php?id=12345) to obtain unauthorized data of another transaction (i.e., https://example[.]site/details.php?id=67890).
“IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users,” the agencies said. “These requests succeed where there is a failure to perform adequate authentication and authorization checks.”
The authoring entities – the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA) – noted that such flaws are being abused by adversaries to compromise the personal, financial, and health information of millions of users and consumers.
To mitigate such threats, it’s recommended that vendors, designers, and developers adopt secure-by-design and -default principles and ensure software performs authentication and authorization checks for every request that modifies, deletes, and accesses sensitive data.
The development comes days after CISA released its analysis of data gathered from risk and vulnerability assessments (RVAs) conducted across multiple federal civilian executive branch (FCEB) as well as high-priority private and public sector critical infrastructure operators.
The study found that “Valid Accounts were the most common successful attack technique, responsible for 54% of successful attempts,” followed by spear-phishing links (33.8%), spear-phishing attachments (3.3%), external remote services (2.9%), and drive-by compromises (1.9%).
Legitimate accounts, which could either be former employee accounts that have not been removed from the active directory or default administrator accounts, have also emerged as the top vector for establishing persistence in a compromised network (56.1%), escalating privileges (42.9%), and defense evasion (17.5%).
“To guard against the successful Valid Accounts technique, critical infrastructure entities must implement strong password policies, such as phishing-resistant [multi-factor authentication], and monitor access logs and network communication logs to detect abnormal access,” CISA said.