Insecure Direct Object References


Insecure direct object reference vulnerabilities occur when an application exposes the system names of system resources that it uses and allows an attacker to manipulate these names. If an attacker can change the name of a system resource that is accessed by the application, they can access arbitrary system resources, such as files.

All applications are potentially affected by insecure direct object reference vulnerabilities.


The impact of insecure direct object reference vulnerabilities is that the attacker might be able to access arbitrary system resources of the same type as those exposed by the insecure reference. For example, if the attacker can manipulate the name and path of a file displayed by the application, they will be able to abuse the application to display arbitrary files on the system.

Insecure direct object reference vulnerabilities apply almost exclusively to exposed file system references, but in theory can also describe exposed database element references or any other named system resource, such as a pipe or a network socket. The type of access that the attacker is able to perform depends on the type of operation performed by the vulnerable code – if the vulnerable code reads from an exposed reference, the attacker will be able to read; if the vulnerable code writes to an exposed reference, the attacker will be able to write.


To prevent insecure direct object reference vulnerabilities, use mapping values to access objects and perform access control checks when using system resources.

Application Check

To make sure that insecure direct object reference vulnerabilities are prevented, verify that mapping values are used to access objects and that access control checks are performed when using system resources.

Computer Based Training Links

Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.

OWASP Top Threats & Mitigations

This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.

DES 221 OWASP Top Threats & Mitigations

Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact for help.

!Have a comment about this article? Send our team an email.