Preventing Web Application Access Control Abuse – CISA

Category: NSA

SUMMARY

The Australian Signals Directorates Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.

These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers.

ACSC, CISA, and NSA strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisoryincluding the followingto reduce prevalence of IDOR flaws and protect sensitive data in their systems.

Download the PDF version of this report:

IDOR vulnerabilities are access control vulnerabilities in web applications (and mobile phone applications [apps] using affected web API) that occur when the application or API uses an identifier (e.g., ID number, name, or key) to directly access an object (e.g., a database record) but does not properly check the authentication or authorization of the user submitting the request. Depending on the type of IDOR vulnerability, malicious actors can access sensitive data, modify or delete objects, or access functions.

Typically, these vulnerabilities exist because an object identifier is exposed, passed externally, or easily guessedallowing any user to use or modify the identifier.

These vulnerabilities are common[1] and hard to prevent outside the development process since each use case is unique and cannot be mitigated with a simple library or security function. Additionally, malicious actors can detect and exploit them at scale using automated tools. These factors place end-user organizations at risk of data leaks (where information is unintentionally exposed) or large-scale data breaches (where a malicious actor obtains exposed sensitive information). Data leaks or breaches facilitated by IDOR vulnerabilities include:

ACSC, CISA, and NSA recommend that vendors, designers, and implementors of web applicationsincluding organizations that build and deploy software (such as HR tools) for their internal use and organizations that create open-source projectsimplement the following mitigations. These mitigations may reduce prevalence of IDOR vulnerabilities in software and help ensure products are secure-by-design and -default.

For more information, see the joint Enduring Security Frameworks Securing the Software Supply Chain: Recommended Practices Guide for Developers, CISAs Supply Chain Risk Management Essentials, and ACSCs Cyber Supply Chain Risk Management.

Additionally, ACSC, CISA, and NSA recommend following cybersecurity best practices in production and enterprise environments. Software developers are high-value targets because their customers deploy software on their own trusted networks. For best practices, see:

ACSC, CISA, and NSA recommend that all end-user organizations, including those with on-premises software, SaaS, IaaS, and private cloud models, implement the mitigations below to improve their cybersecurity posture.

Additionally, ACSC, CISA, and NSA recommend following cybersecurity practices. For best practices, see ACSCs Essential Eight, CISAs CPGs, and NSAs Top Ten Cybersecurity Mitigation Strategies.

ACSC, CISA, and NSA recommend that organizations:

ACSC, CISA, and NSA recommend that organizations with on-premises software or IaaS consider using SaaS models for their internet-facing websites.

Organizations leveraging SaaS with sufficient resources may consider conducting penetration testing and using vulnerability scanners. However, such tests may interfere with service provider operations. Organizations should consult with their legal counsel as appropriate to determine what can be included in the scope of the penetration testing.

If you or your organization are victim to a data breach or cyber incident, follow relevant cyber incident response and communications plans, as appropriate.

[1] A01 Broken Access Control - OWASP Top 10:2021

[2] A massive stalkerware leak puts the phone data of thousands at risk

[3] Mobile device monitoring services do not authenticate API requests

[4] Behind the stalkerware network spilling the private phone data of hundreds of thousands

[5] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

[6] Biggest Data Breaches in US History [Updated 2023]

[7] AT&T Hacker 'Weev' Sentenced to 3.5 Years in Prison

[8] Fuzzing | OWASP Foundation

The information in this report is being provided "as is" for informational purposes only. ACSC, CISA, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States or Australian Governments, and this guidance shall not be used for advertising or product endorsement purposes.

This document was developed in furtherance of the authors cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Continue reading here:
Preventing Web Application Access Control Abuse - CISA

NSA (NSA) Executive Chair Fischer reports new OP unit awards and LTIP conversions - Stock Titan - March 4th, 2026 [March 4th, 2026]
Cyber retaliation from Iran is a problem for U.S. companies 'It's in the hands of a 19-year-old hacker in a Telegram room,' ex-NSA operative says -... - March 4th, 2026 [March 4th, 2026]
Ajit Doval Indias Most Useless NSA Ever Says Netizens: Zero Intel on Uri, Pulwama, Galwan, Iran War & More - indiaherald.com - March 4th, 2026 [March 4th, 2026]
Sheep Village Cynefin to be launched by RWAS and NSA at the Royal Welsh Show - Shropshire Star - March 4th, 2026 [March 4th, 2026]
Wyden blocks nominee to lead NSA and Cyber Command - Federal News Network - February 27th, 2026 [February 27th, 2026]
Wyden blocks Rudd confirmation to lead Cyber Command, NSA - The Record from Recorded Future News - February 27th, 2026 [February 27th, 2026]
NSA said to have seen security concerns in Grok - breakingthenews.net - February 27th, 2026 [February 27th, 2026]
NSA: Solid Q4 Beat and Favorable 2026 Outlook, But Cost Pressures and High Expectations Justify Hold Rating - TipRanks - February 27th, 2026 [February 27th, 2026]
Videotron and Samsung Expand Partnership Through 5G NSA and 4G LTE Core Gateway Deployment - samsung.com - February 24th, 2026 [February 24th, 2026]
Videotron Taps Samsung for Cloud-Native 5G NSA and LTE Core Gateway Solution - The Fast Mode - February 24th, 2026 [February 24th, 2026]
El-Rufai Demanded to Provide Evidence in NSA Hacking Claims - streamlinefeed.co.ke - February 24th, 2026 [February 24th, 2026]
DSS to arraign El-Rufai on Feb. 25 over alleged NSA phone interception - Businessday NG - February 24th, 2026 [February 24th, 2026]
Securus Technologies Supports Expansion of Sheriff-Led NSA I.G.N.I.T.E. Initiative to Improve Jail Safety and Reentry Outcomes - PR Newswire - February 7th, 2026 [February 7th, 2026]
NSA set to deal with defiant parties, politicians, supporters on integrity of democratic process - ThePointNG - February 7th, 2026 [February 7th, 2026]
Where NSA zero trust guidance aligns with enterprise reality - Help Net Security - February 4th, 2026 [February 4th, 2026]
UNG third in Division 1 of NSA cyber event - University of North Georgia - February 4th, 2026 [February 4th, 2026]
Green Beret Lieutenant General Joshua Rudd Tapped To Lead NSA and US Cyber Command - SOFREP - February 4th, 2026 [February 4th, 2026]
SC Flags Health Concerns, Urges Rethink on Sonam Wangchuks NSA Detention - The Morning Voice - February 4th, 2026 [February 4th, 2026]
What security teams need to know about the NSA's new zero trust guidelines - IT Pro - February 4th, 2026 [February 4th, 2026]
'India won't be bullied': NSA Ajit Doval told Marco Rubio that New Delhi would wait out Trump term for trade deal: Report - theweek.in - February 4th, 2026 [February 4th, 2026]
When Protest becomes a Threat: Inside the Supreme Court hearing on Sonam Wangchuks NSA detention - SabrangIndia - February 4th, 2026 [February 4th, 2026]
If NSA Commits Database Query Violations, But Nobody Audits Them, Do They Really Happen? - emptywheel - February 4th, 2026 [February 4th, 2026]
Army general tapped to lead NSA vows to follow the law if confirmed - Military Times - February 1st, 2026 [February 1st, 2026]
Overturned tractor-trailer shuts portion of Route 32 near NSA - WBAL-TV - February 1st, 2026 [February 1st, 2026]
Nominee to lead NSA backs controversial spying law - Defense One - February 1st, 2026 [February 1st, 2026]
NSA pick champions foreign spying law as nomination advances - The Record from Recorded Future News - February 1st, 2026 [February 1st, 2026]
NSA Releases Phase One and Phase Two of the Zero Trust Implementation Guidelines - National Security Agency (.gov) - February 1st, 2026 [February 1st, 2026]
Army General Tapped to Lead NSA Said He Doesnt Know Much About the Biggest NSA Controversy - The Intercept - February 1st, 2026 [February 1st, 2026]
Trump's pick to lead the NSA vows to follow the law if confirmed - ABC News - February 1st, 2026 [February 1st, 2026]
Trump's pick to lead the NSA vows to follow the law if confirmed - Oskaloosa Herald - February 1st, 2026 [February 1st, 2026]
Trump's pick to lead the NSA vows to follow the law if confirmed - The Derrick - February 1st, 2026 [February 1st, 2026]
Overturned tractor-trailer shuts westbound Maryland Route 32 near NSA exit, police say - WBAL News Radio - February 1st, 2026 [February 1st, 2026]
SC to hear plea against Sonam Wangchuks NSA detention on February 2 - The New Indian Express - February 1st, 2026 [February 1st, 2026]
Powys sheep sector to hear from Llyr Gruffydd at NSA meeting - County Times - February 1st, 2026 [February 1st, 2026]
NSA calls for consultation on castration and tail docking to involve sheep farmers - cravenherald.co.uk - January 24th, 2026 [January 24th, 2026]
NSA launches 13th annual survey for insight into cases of sheep worrying by dogs - Yahoo News UK - January 24th, 2026 [January 24th, 2026]
NSA Ajit Doval says he doesn't use phone or internet. Here's why - MSN - January 14th, 2026 [January 14th, 2026]
NSA Ajit Doval says he doesnt use phone or internet; shares views on Indias future and youth - WION - January 11th, 2026 [January 11th, 2026]
Liberia: NSA Director's Special Assistant Suspended Amid Alleged Gang Sodomy of 15-Year-Old; Authorities Remain Silent - FrontPageAfrica - January 11th, 2026 [January 11th, 2026]
'Wars happen because some countries want to impose their will on others': NSA Ajit Doval - Deccan Herald - January 11th, 2026 [January 11th, 2026]
We have to avenge our history: NSA Ajit Doval urges youth to make India great in every aspect - The Indian Express - January 11th, 2026 [January 11th, 2026]
CISA, NSA, and Canadian Cyber Centre update Brickstorm analysis with new Rust-based variants - Industrial Cyber - January 11th, 2026 [January 11th, 2026]
ROVER communication terminals approved for international use by NSA - Military Embedded Systems - January 9th, 2026 [January 9th, 2026]
L3Harris ROVER and TNR systems gain NSA approval enabling secure coalition interoperability - Defence Industry Europe - January 9th, 2026 [January 9th, 2026]
Former NSA insider Kosiba brought back as spy agencys No. 2 - The Record from Recorded Future News - January 9th, 2026 [January 9th, 2026]
Trumps tariff threat to India self-inflicted wound: Former US NSA John Bolton - The Indian EYE - January 9th, 2026 [January 9th, 2026]
NSA Scotland demands support for sheep farmers ahead of Holyrood elections - Farmers Guardian - January 9th, 2026 [January 9th, 2026]
Announcing tariffs for purchasing Russian oil unfortunate: Former US NSA backs closer relationship with India - Punjab News Express - January 9th, 2026 [January 9th, 2026]
NSA Ajit Doval likely to be part of Indian delegation at WEF in Davos - The New Indian Express - January 9th, 2026 [January 9th, 2026]
"A lot of hot air": Former NSA John Bolton on Trump's remarks on possible action beyond Venezuela - ANI News - January 9th, 2026 [January 9th, 2026]
NSA employee sues Trump administration over order on transgender rights and two 'immutable' genders - Yahoo - December 22nd, 2025 [December 22nd, 2025]
NSA employee sues the Trump administration over transgender rights and 'immutable' genders - AP News - December 22nd, 2025 [December 22nd, 2025]
Senior official at Indo-Pacific Command is set to be Trumps pick to lead Cyber Command, NSA - The Record from Recorded Future News - December 22nd, 2025 [December 22nd, 2025]
NSA employee sues the Trump administration over transgender rights and 'immutable' genders - Temple Daily Telegram - December 22nd, 2025 [December 22nd, 2025]
Potential NSA, Cyber Command leader nomination transmitted to Senate - Nextgov/FCW - December 22nd, 2025 [December 22nd, 2025]
After Eight Months, White House Names Nominee To Head NSA And CYBERCOM - Defense Daily - December 22nd, 2025 [December 22nd, 2025]
Fubara Hosts NSA, Says Tinubu Happy With Rivers Governor - TVC News - December 22nd, 2025 [December 22nd, 2025]
CISA, NSA warn of Chinas BRICKSTORM malware after incident response efforts - The Record from Recorded Future News - December 10th, 2025 [December 10th, 2025]
CISA and NSA Warn of BRICKSTORM Malware Attacking VMware ESXi and Windows Environments - CybersecurityNews - December 10th, 2025 [December 10th, 2025]
NSA, CISA, and Others Release Guidance on Integrating AI in Operational Technology - National Security Agency (.gov) - December 4th, 2025 [December 4th, 2025]
NSA has met 2,000-person workforce reduction goal, people familiar say - Nextgov/FCW - December 4th, 2025 [December 4th, 2025]
NSA Doval, Thai Foreign Minister Phuangketkeow discuss maritime security, threats of online scams - The Indian EYE - December 4th, 2025 [December 4th, 2025]
NSA Doval, Thai FM discuss maritime security, threats of online scams - Awaz The Voice - December 4th, 2025 [December 4th, 2025]
All-clear issued about 2 hours after NSA Naples schools evacuated over potential threat - Stars and Stripes - November 18th, 2025 [November 18th, 2025]
'Dhurandhar': R Madhavan reveals Aditya Dhar's little trick that perfected his NSA-inspired look for the - The Times of India - November 18th, 2025 [November 18th, 2025]
Army officer with Indo-Pacific experience emerges as potential Cyber Command, NSA pick - The Record from Recorded Future News - November 18th, 2025 [November 18th, 2025]
NSA Dr Rahman to attend Security Conclave in New Delhi - United News of Bangladesh - November 18th, 2025 [November 18th, 2025]
Man claims NSA told him to shatter glass at AT&T building with hatchet, Nashville police say - WSMV - November 18th, 2025 [November 18th, 2025]
How the heartbreaking lack of a confirmed leader is impacting CYBERCOM and NSA - Breaking Defense - November 7th, 2025 [November 7th, 2025]
Goa invokes NSA for three months to tackle anti-socials - The Times of India - November 7th, 2025 [November 7th, 2025]
CISA, NSA and other unveil security blueprint to harden Microsoft Exchange servers - Homeland Preparedness News - November 7th, 2025 [November 7th, 2025]
NSA Shares Q3 Revenue Results Below Expectations - GuruFocus - November 7th, 2025 [November 7th, 2025]
Filipinos aware of civilian supremacy over military NSA Ao - Philippine News Agency - October 28th, 2025 [October 28th, 2025]
Sonam Wangchuk says his words were twisted to justify his NSA detention - The Statesman - October 26th, 2025 [October 26th, 2025]
Nokia and stc pioneer the first commercial 5G NSA Cloud RAN deployment in the MEA region - ZAWYA - October 26th, 2025 [October 26th, 2025]
China accuses NSA of multi-year hack targeting its national time systems - Nextgov/FCW - October 23rd, 2025 [October 23rd, 2025]
Cybersecurity News: AWS outage, NSA hacking accusations, High risk WhatsApp automation - CISO Series - October 23rd, 2025 [October 23rd, 2025]
Hackers Say They Have Personal Data of Thousands of NSA and Other Government Officials - Homeland Security Today - October 23rd, 2025 [October 23rd, 2025]
AWS outage, NSA hacking accusations, High risk WhatsApp automation - LinkedIn - October 23rd, 2025 [October 23rd, 2025]
Palestinian President Mahmoud Abbas: No Concessions Were Made In The Oslo Accords 1.85 Million Palestinians Returned To Their Homeland;... - October 23rd, 2025 [October 23rd, 2025]

July 30th, 2023

No comments yet

Comments are closed.

Mediaboss Marketing

Preventing Web Application Access Control Abuse – CISA

About

Pages

Categories

Media Sites

Recommended Sites

Archives