Detection and Prevention of Insecure Direct Object References (IDOR) in Website-Based Applications
Deteksi dan Pencegahan Insecure Direct Object References (IDOR) Pada Aplikasi Berbasis Website
Abstract
IDOR (Insecure Direct Object References) is a security vulnerability that occurs when a web application does not validate or authorize access to direct objects, such as data or resources, in an adequate manner. In the context of web application security, objects can be files, database records, or other resources identified by a parameter or direct reference. The IDOR technique allows an attacker to manipulate parameters passed to a web application to gain unauthorized access to objects he or she should not have access to. By exploiting this vulnerability, attackers can access, modify, or delete data that should only be accessible to authorized users. One of the dangers in accessing data on websites, data retrieval techniques from object IDs are often vulnerable to Insecure Direct Object References (IDOR) attacks. Therefore, the data retrieval technique from $_SESSION can be a safer alternative to avoid the IDOR security vulnerability. Using this technique, only the account in use can be accessed and does not allow access to other technician accounts. The use of additional query parameters can also increase website security and protect the data and information contained therein. Thus, adding additional validation to the code can help prevent IDOR vulnerabilities from occurring in web applications.
Downloads
References
Simarmata, J., Chaerul, M., Mukti, R. C., Purba, D. W., Tamrin, A. F., Jamaludin, J., ... & Meganingratna, A. (2020). Teknologi Informasi: Aplikasi dan Penerapannya. Yayasan Kita Menulis.
Primawanti, E. P., & Ali, H. (2022). Pengaruh Teknologi Informasi, Sistem Informasi Berbasis Web Dan Knowledge Management Terhadap Kinerja Karyawan (Literature Review Executive Support Sistem (Ess) for Business). Jurnal Ekonomi Manajemen Sistem Informasi, 3(3), 267-285. DOI: https://doi.org/10.31933/jemsi.v3i3.818
Guntoro, G., Costaner, L., & Musfawati, M. (2020). Analisis Keamanan Web Server Open Journal System (Ojs) Menggunakan Metode Issaf Dan Owasp (Studi Kasus Ojs Universitas Lancang Kuning). JIPI (Jurnal Ilmiah Penelitian Dan Pembelajaran Informatika), 5(1), 45-55. DOI: https://doi.org/10.29100/jipi.v5i1.1565
Demesa, E. G. (2018). Implementation of a Hands-on Attack and Defense Lab on Insecure Direct Object References Master ’ s thesis. https://www.etis.ee/Portal/Mentorships/Display/57461a3c-f3aa-40f8-a9e3-05a76e074551.
Kuncoro, A. W. (2022). Pengujian Autentikasi Dan Otorisasi Web Mi-Gateway Uii Berdasarkan Dokumen Owasp Wstg V4. 2.
Novendri, M. S., Saputra, A., & Firman, C. E. (2019). Aplikasi Inventaris Barang Pada Mts Nurul Islam Dumai Menggunakan Php Dan Mysql. lentera dumai, 10(2).
Putri, S. E. Y. (2021). Penerapan Model Naive Bayes Untuk Memprediksi Potensi Pendaftaran Siswa Di Smk Taman Siswa Teluk Betung Berbasis Web. Journal of Engineering, Computer Science and Information Technology (JECSIT), 1(1). DOI: https://doi.org/10.33365/jatika.v1i1.228
Kinaswara, T. A. (2019, October). Rancang Bangun Aplikasi Inventaris Berbasis Website pada Kelurahan Bantengan. In Prosiding Seminar Nasional Teknologi Informasi dan Komunikasi (SENATIK) (Vol. 2, No. 1, pp. 71-75).
Copyright (c) 2023 Rio Ananda Putra, Irwan Alnaurus Kautsar, Hindarto Hindarto, Sumarno Sumarno
This work is licensed under a Creative Commons Attribution 4.0 International License.