Sep 19, 2013; 12:38
Bil Corry
Insecure Direct Object References
For those who attended my talk at LDC on the OWASP Top Ten, during my talk
I mentioned "Insecure Direct Object References" of which one example is
changing the URL so that instead of ?account=123, you change it to
?account=124 and now you're looking at someone else's account. I mentioned
that it's usually a mistake made by newer web programmers.
Anyhow, here's a real-life example. Fine was USD $55,000, on top of paying
for free credit monitoring and having a security audit performed against
their system:
http://www.finextra.com/News/FullStory.aspx?newsitemid=25167&topic=retail
- Bil
#############################################################
Attend the Lasso Developer Conference 2013!
Sept 12-14, 2013 in Niagara Falls, Canada
http://www.lassosoft.com/LDC-niagara-falls-2013
#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>