Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified.
Technical Specifications
- Technical specifications
- WASC TC v2.0 Classes Coverage
- WASC TC v1.0 Classes Coverage
- OWASP Top Ten 2013 Coverage
- OWASP Top Ten 2010 Coverage
- OWASP Top Ten 2007 Coverage
- OWASP Top Ten 2004 Coverage
- 2011 CWE/SANS Top 25 Coverage
- 2010 CWE/SANS Top 25 Coverage
- 2009 CWE/SANS Top 25 Coverage
- The Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- NIST Special Publication 800-53
- Sarbanes-Oxley Act (SOX)
- DISA Security Technical Implementation Guide (STIG)
- ISO/IEC 27001:2005 Coverage
- ISO/IEC 27001:2013 Coverage
OWASP Top 10 2013 Contents
- OWASP Top Ten 2013
- Injection
- Broken Authentication and Session Management
- Cross-Site Scripting, XSS
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery, CSRF
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards