Cyber Security Threat Summary:
“The Australian and US governments have issued a joint advisory about the growing cyber-threats to web applications and application programming interfaces (APIs). The guidance, Preventing Web Application Access Control Abuse was released by the Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) on July 27, 2023” (Info Security Magazine, 2023).

The advisory warns web application developers and users about the frequent exploitation of insecure direct object reference (IDOR) vulnerabilities. These are access control vulnerabilities that allow threat actors to modify, delete, or even access sensitive data by issuing requests to a website or API specifying the user identifier of other valid users.

Security Officer Comments:
IDOR vulnerabilities exploited in attacks are often heavily targeted and are commonly found. Outside of the development process, these vulnerabilities can be difficult to prevent. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information from millions of users. Due to failure of the system to adequately authenticate and supply authorization, threat actors can gain access to sensitive data.

The agencies issued a range of recommendations for vendors, designers, developers and end user organizations to reduce the prevalence of IDOR vulnerabilities.

Suggested Correction(s):


Vendors and Developers

• Implement secure by design principles into each stage of the software development life cycle (SDLC). Recommended practices can be found in the National Institute of Security and Technology’s (NIST’s) Secure Software Development Framework (SSDF), SP 800-218. Other secure by design recommendations include testing code to identify vulnerabilities and verify compliance with security requirements and conducting role-based training for personnel responsible for secure software development.
• Establish a vulnerability disclosure program. This should enable the disclosure of security vulnerabilities internally and externally.

End-User Organizations

• Exercise due diligence when selecting web applications. In particular, source from reputable vendors “that demonstrate commitment to secure by design and default principles.”
• Apply software patches for web applications as soon as possible
• Configure the application to log and generate alerts from tamper attempts
• Create, maintain, and exercise a basic cyber incident response plan (IRP)

The new advisory fits in with the US government’s National Cybersecurity Strategy, which aims to place more responsibility on technology suppliers and developers for the security of software products.

Link(s):
https://media.defense.gov/2023/Jul/
https://www.infosecurity-magazine.com/news/australia-us-warning-web-app/