Joint US-Australia Cybersecurity Advisory Warns About Web App Vulnerabilities

A joint advisory from U.S. and Australian cybersecurity agencies has identified common security vulnerabilities in websites and web apps that can be easily exploited and abused in large-scale data breaches. The National Security Agency and the Cybersecurity and Infrastructure Security Agency partnered with the Australian Cyber Security Centre on the cybersecurity advisory titled “Preventing Web Application Access Control Abuse,” which was released Thursday.

The advisory pointed out that vulnerabilities called insecure direct object references can enable malicious hackers to access, modify or delete sensitive data on servers lacking proper security checks. According to the advisory, hackers could attack IDOR in any web application such as those deployed in software-as-a-service for cloud-based applications or infrastructure-as-a-service used for cloud-based computing resources, the NSA said.

“These commonly exploited vulnerabilities are difficult to mitigate once software is operating in a customer network,” NSA Cybersecurity Technical Director Neal Ziring said, adding that developers have to be aware of IDORs.

For web application developers, the CSA suggests preventive measures, such as following secure coding practices by using indirect reference maps or input parameter normalization and verification.

Suggested mitigations in the CSA for end-user organizations include selecting web applications with a demonstrated commitment to secure-by-design-and-default principles.