Skip to main content

Insecure object reference

Description

The systems authorization mechanism does not prevent one user from accessing another users data by modifying the key value that identifies it.

Impact

Obtain, modify or delete information from other users.

Recommendation

  • Validate that unprivileged users can access and modify only their own information.
  • Handle the user operations using session objects.

Threat

Authenticated user from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: U
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C
  • Score:
    • Base: 4.3
    • Temporal: 4.1
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Correctly set editing policies according to roles

const roles = {
ADMIN: "ADMIN",
EDITOR: "EDITOR",
GUEST: "GUEST"
};

mappings.set(actions.MODIFY_FILE, [roles.ADMIN, roles.EDITOR]);
mappings.set(actions.VIEW_FILE, [roles.ADMIN, roles.EDITOR, roles.GUEST]);
mappings.set(actions.DELETE_FILE, [roles.ADMIN]);
mappings.set(actions.CREATE_FILE, [roles.ADMIN, roles.EDITOR]);

Non compliant code

The roles defined have excessive privileges which could be easily exploited by an attacker

const roles = {
ADMIN: "ADMIN",
EDITOR: "EDITOR",
GUEST: "GUEST"
};

mappings.set(actions.MODIFY_FILE, [roles.ADMIN, roles.EDITOR, roles.GUEST]);

Requirements