Detection and Prevention of Insecure Direct Object References (IDOR) in Website-Based Applications


Deteksi dan Pencegahan Insecure Direct Object References (IDOR) Pada Aplikasi Berbasis Website


  • (1) * Rio Ananda Putra            Universitas Muhammadiyah Sidoarjo  
            Indonesia

  • (2)  Irwan Alnaurus Kautsar            Universitas Muhammadiyah Sidoarjo  
            Indonesia

  • (3)  Hindarto Hindarto            Universitas Muhammadiyah Sidoarjo  
            Indonesia

  • (4)  Sumarno Sumarno            Universitas Muhammadiyah Sidoarjo  
            Indonesia

    (*) Corresponding Author

Abstract

IDOR (Insecure Direct Object References) is a security vulnerability that occurs when a web application does not validate or authorize access to direct objects, such as data or resources, in an adequate manner. In the context of web application security, objects can be files, database records, or other resources identified by a parameter or direct reference. The IDOR technique allows an attacker to manipulate parameters passed to a web application to gain unauthorized access to objects he or she should not have access to. By exploiting this vulnerability, attackers can access, modify, or delete data that should only be accessible to authorized users. One of the dangers in accessing data on websites, data retrieval techniques from object IDs are often vulnerable to Insecure Direct Object References (IDOR) attacks. Therefore, the data retrieval technique from $_SESSION can be a safer alternative to avoid the IDOR security vulnerability. Using this technique, only the account in use can be accessed and does not allow access to other technician accounts. The use of additional query parameters can also increase website security and protect the data and information contained therein. Thus, adding additional validation to the code can help prevent IDOR vulnerabilities from occurring in web applications.

Downloads

Download data is not yet available.

Author Biographies

Rio Ananda Putra, Universitas Muhammadiyah Sidoarjo

Program Studi Informatika, Fakultas Sains dan Teknologi

Irwan Alnaurus Kautsar, Universitas Muhammadiyah Sidoarjo

Program Studi Informatika, Fakultas Sains dan Teknologi

Hindarto Hindarto, Universitas Muhammadiyah Sidoarjo

Program Studi Informatika, Fakultas Sains dan Teknologi

Sumarno Sumarno, Universitas Muhammadiyah Sidoarjo

Program Studi Informatika, Fakultas Sains dan Teknologi

References

Simarmata, J., Chaerul, M., Mukti, R. C., Purba, D. W., Tamrin, A. F., Jamaludin, J., ... & Meganingratna, A. (2020). Teknologi Informasi: Aplikasi dan Penerapannya. Yayasan Kita Menulis.

Primawanti, E. P., & Ali, H. (2022). Pengaruh Teknologi Informasi, Sistem Informasi Berbasis Web Dan Knowledge Management Terhadap Kinerja Karyawan (Literature Review Executive Support Sistem (Ess) for Business). Jurnal Ekonomi Manajemen Sistem Informasi, 3(3), 267-285. DOI: https://doi.org/10.31933/jemsi.v3i3.818

Guntoro, G., Costaner, L., & Musfawati, M. (2020). Analisis Keamanan Web Server Open Journal System (Ojs) Menggunakan Metode Issaf Dan Owasp (Studi Kasus Ojs Universitas Lancang Kuning). JIPI (Jurnal Ilmiah Penelitian Dan Pembelajaran Informatika), 5(1), 45-55. DOI: https://doi.org/10.29100/jipi.v5i1.1565

Demesa, E. G. (2018). Implementation of a Hands-on Attack and Defense Lab on Insecure Direct Object References Master ’ s thesis. https://www.etis.ee/Portal/Mentorships/Display/57461a3c-f3aa-40f8-a9e3-05a76e074551.

Kuncoro, A. W. (2022). Pengujian Autentikasi Dan Otorisasi Web Mi-Gateway Uii Berdasarkan Dokumen Owasp Wstg V4. 2.

Novendri, M. S., Saputra, A., & Firman, C. E. (2019). Aplikasi Inventaris Barang Pada Mts Nurul Islam Dumai Menggunakan Php Dan Mysql. lentera dumai, 10(2).

Putri, S. E. Y. (2021). Penerapan Model Naive Bayes Untuk Memprediksi Potensi Pendaftaran Siswa Di Smk Taman Siswa Teluk Betung Berbasis Web. Journal of Engineering, Computer Science and Information Technology (JECSIT), 1(1). DOI: https://doi.org/10.33365/jatika.v1i1.228

Kinaswara, T. A. (2019, October). Rancang Bangun Aplikasi Inventaris Berbasis Website pada Kelurahan Bantengan. In Prosiding Seminar Nasional Teknologi Informasi dan Komunikasi (SENATIK) (Vol. 2, No. 1, pp. 71-75).

Picture in here are illustration from public domain image (License) or provided by the author, as part of their works
Published
2023-07-31
 
How to Cite
[1]
R. A. Putra, I. A. Kautsar, H. Hindarto, and S. Sumarno, “Detection and Prevention of Insecure Direct Object References (IDOR) in Website-Based Applications”, PELS, vol. 4, Jul. 2023.