The Australian and US governments have issued a joint advisory about the growing cyber-threats to web applications and application programming interfaces (APIs).
The guidance, Preventing Web Application Access Control Abuse was released by the Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) on July 27, 2023.
It warns web application developers and users about the frequent exploitation of insecure direct object reference (IDOR) vulnerabilities – access control vulnerabilities that allow threat actors to modify, delete or access sensitive data by issuing requests to a website or API specifying the user identifier of other, valid users.
Read here: Why API Security Could Be the Next Big Thing in Cyber
The advisory noted that IDOR vulnerabilities are heavily targeted by attackers as they are commonly found, and difficult to prevent outside the development process. It read: “IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.”
These attacks succeed when there is a failure to perform adequate authentication and authorization checks, allowing the threat actors’ requests to work.
The agencies issued a range of recommendations for vendors, designers, developers and end user organizations to reduce the prevalence of IDOR vulnerabilities:
Vendors and Developers
- Implement secure by design principles into each stage of the software development life cycle (SDLC). Recommended practices can be found in the National Institute of Security and Technology’s (NIST’s) Secure Software Development Framework (SSDF), SP 800-218. Other secure by design recommendations include testing code to identify vulnerabilities and verify compliance with security requirements and conducting role-based training for personnel responsible for secure software development.
- Establish a vulnerability disclosure program. This should enable the disclosure of security vulnerabilities internally and externally.
End-User Organizations
- Exercise due diligence when selecting web applications. In particular, source from reputable vendors “that demonstrate commitment to secure by design and default principles.”
- Apply software patches for web applications as soon as possible
- Configure the application to log and generate alerts from tamper attempts
- Create, maintain, and exercise a basic cyber incident response plan (IRP)
The new advisory fits in with the US government’s National Cybersecurity Strategy, which aims to place more responsibility on technology suppliers and developers for the security of software products.