SiteLock 도움말

Insecure Direct Object References

Direct object references expose website or account-specific details, such as account numbers, file names, directories, or database keys, in the URL or other accessible sources. Displaying sensitive information in the URL might be a security vulnerability if your website is not configured to verify access for every account-specific page or action.

Attackers might exploit direct object references by modifying URLs or other parameters to access accounts, hop directories, or discover other resources.

For example: Bill's site displays usernames in the URL:
http://www.coolexample.com/accountInfo?acct=BILL123

A malicious user changes the account name in the URL in attempt to access another account.

If the website is not configured to verify access, the malicious user might gain unauthorized access to another account.

While referencing specific resources in the URL isn't necessarily a flaw, you should verify access for every request of an account-specific page or action. If you must use direct references in the URL, consider mapping the references to random per-account or per-session codes.

To learn more about insecure direct object references and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.


이 글이 도움되었나요?
피드백을 보내주셔서 감사합니다. 고객 서비스 담당자에게 문의하시려면 지원 전화 번호 또는 위의 채팅 옵션을 이용하시기 바랍니다.
도와드릴 수 있어 기쁩니다! 더 도와 드릴 것이 있나요?
그것 유감스럽습니다. 혼동이 되었던 사항 또는 솔루션이 고객님의 문제를 해결하지 못했던 원인을 알려주세요.