Slideshow: Five common Web application vulnerabilities and mitigations

By

Brandan Blevins

5/6

Got insecure direct object references? Be random, unpredictable

Source: Thinkstock

Insecure direct object references are another common security weakness in Web applications. They are the result of application developers coding under the assumption that rules will always be followed by users. In this case, an attacker may be able to guess a user's ID and resubmit a data request if that user's account ID is shown in the page URL or in a hidden field. Such sensitive data is often incorrectly exposed in URLs, hidden form fields, drop-down list boxes, JavaScript code and so on.

To prevent attackers from taking advantage of insecure direct object references, applications should use random, unpredictable IDs and file and object names. The actual names of objects should also never be exposed, and when a user tries to access a sensitive file, their authorization to do so should be verified every time, not just once.

View All Photo Stories

SearchCloudSecurity

Evaluate cloud database security controls, best practices
If your company is using a cloud database provider, it's critical to stay on top of security. Review the security features ...
All about cloud-native application protection platforms
The cloud-native application protection platform, or CNAPP, is the latest in a slew of cloud security acronyms. Learn what it is ...
Why zero-trust models should replace legacy VPNs
Many organizations use legacy VPNs to secure their networks, especially in the work-from-home era. Expert Pranav Kumar explains ...

SearchNetworking

Aruba introduces the distributed data center switch
Aruba's CX distributed switch, available in January, provides security through the embedded Pensando ASICs. Services powered by ...
Static IP vs. dynamic IP addresses: What's the difference?
Static IP addresses are typically used for servers, routers and switches. Dynamic IP addresses, however, are commonly used for ...
4 categories of network monitoring
Network teams should routinely monitor the states of their networks. The type of network monitoring strategy used depends on the ...

SearchCIO

14 potential costs of shadow IT
The use of unsanctioned software can cost enterprise -- a lot -- and not always in obvious ways. Here's a look at shadow IT costs...
5 ways to improve the CIO-CISO relationship
CIOs and CISOs need to work together for the benefit of the whole organization. To break the mold of hostility, C-suite leaders ...
Litigants face tough road with antitrust lawsuits
As big tech companies like Google and Facebook fight antitrust lawsuits in court, experts are divided on whether core antitrust ...

SearchEnterpriseDesktop

Apple ditches hated MacBook Pro features, adds M1 chips
The new MacBook Pro laptops come in 14-and 16-inch models, return ports that were missing in the past few iterations, and add ...
Windows 11 bugs cause app slowdown on AMD chips
The flaws can slow application performance by as much as 15% on high-performance PCs for gaming and other demanding software. AMD...
Top 7 Chromebooks for business use cases
Chromebooks are high-performing thin clients with great ease-of-management features, but the market has so many options that it's...

SearchCloudComputing

Break down the different AWS Graviton2 instance types
AWS Graviton2 processors power a range of EC2 instance types. To select the right one, consider an application's specific compute...
3 best practices for Amazon S3 cost optimization
Everything a business runs in the cloud costs money, and AWS S3 storage is no exception. Smart AWS users understand how to adjust...
Google adds hardware flexibility to distributed cloud
Google Distributed Cloud Edge, available in preview, takes the company's cloud computing infrastructure to the private data ...

ComputerWeekly.com

Vast boosts QLC flash offer with ransomware-proof snapshots
Vast majors on QLC flash bulk storage with 3D Xpoint cache to smooth out traffic into sequential flows
UK government launches information assurance unit for defence
The Military Systems Information Assurance is aimed at developing alternatives to cryptology
UK government allocates £17.5m to farming innovation programme
Farming innovation initiative aims to drive productivity and sustainability among farmers, growers and other businesses

Close