Description
Insecure Direct Object Reference is a class of vulnerability where attackers are able to access pages they are not meant to have access to simply by changing parameter values. This attack results from a combination of insufficient access controls, and overly excessive client trust (excess/unneccesary request parameters).
Insecure Direct Object References can be found throughout the TaskManager source code. Straightforward examples can be found in most view functions that create, edit, or delete notes/tasks/projects. These view functions all fail to ensure the user is properly authorized to perform the action. You can find the appropriate functions labeled throughout the source code.
The example below is the method call for deleting tasks with an associated project. Note the lack of auth checks performed on the
The example below is the method call for deleting tasks with an associated project. Note the lack of auth checks performed on the
task_id before deleting the task.
def task_delete(request, project_id, task_id):
proj = Project.objects.get(pk = project_id)
task = Task.objects.get(pk = task_id)
if proj != None:
if task != None and task.project == proj:
task.delete()
return redirect('/taskManager/' + project_id + '/')
In each function that reads or writes from the database, validate the the user has the appropriate authorization and authentication to perform the action. Within django, there are some useful functions to ensure this, including
In general, user access must always be checked before any information can be added or changed in the database. Don't assume that just because a method is not linked to, it won't be found!
user.is_authenticated() and user.has_perm('permission_name'). django.nV exhibits this functionality in some of the view functions as well, including manage_tasks and manage_projects.
In general, user access must always be checked before any information can be added or changed in the database. Don't assume that just because a method is not linked to, it won't be found!
Do any of these project updates calls even check if I am assigned to the project?
Try modifying ID values in requests made to the application. Maybe it will reveal something about how the methods operate. Note that this is typically much easier to achieve using a client side proxy such as Burp Suite or Fiddler, especially with POST requests.
Try modifying ID values in requests made to the application. Maybe it will reveal something about how the methods operate. Note that this is typically much easier to achieve using a client side proxy such as Burp Suite or Fiddler, especially with POST requests.