惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Heimdal Security Blog
A
Arctic Wolf
K
Kaspersky official blog
V
Vulnerabilities – Threatpost
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
L
LINUX DO - 热门话题
MongoDB | Blog
MongoDB | Blog
T
Threat Research - Cisco Blogs
D
Docker
爱范儿
爱范儿
T
Tenable Blog
C
Check Point Blog
B
Blog
C
Cisco Blogs
Vercel News
Vercel News
The Cloudflare Blog
T
Threatpost
NISL@THU
NISL@THU
T
Tor Project blog
V2EX - 技术
V2EX - 技术
P
Palo Alto Networks Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
T
Tailwind CSS Blog
G
GRAHAM CLULEY
P
Privacy & Cybersecurity Law Blog
SecWiki News
SecWiki News
博客园 - 司徒正美
S
Security @ Cisco Blogs
GbyAI
GbyAI
S
Secure Thoughts
Microsoft Security Blog
Microsoft Security Blog
The Register - Security
The Register - Security
Recorded Future
Recorded Future
Cloudbric
Cloudbric
Webroot Blog
Webroot Blog
N
News and Events Feed by Topic
Y
Y Combinator Blog
博客园_首页
T
Troy Hunt's Blog
The Hacker News
The Hacker News
雷峰网
雷峰网
Google DeepMind News
Google DeepMind News
U
Unit 42
AWS News Blog
AWS News Blog
PCI Perspectives
PCI Perspectives
V
Visual Studio Blog
博客园 - 聂微东
有赞技术团队
有赞技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell

NodeJS Security & NodeJS Secure Coding's Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud Argument Injection vulnerability in git-blame@1.4.0 Argument Injection vulnerability in `gits@0.1.8` Command Injection vulnerability in `@fab1o/git@1.4.0` Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments Command Injection vulnerability in `git-q@0.0.3` Command injection vulnerability via unsanitized CLI arguments in touxing/fast-git-clone Command Injection vulnerability in `willitmerge@0.2.1` A Directory Traversal Vulnerability I found in Mastra AI Frameworks MCP Server Mastering NPX: A Cheatsheet for npm and Node.js Power Users Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development The Tale of the Vulnerable MCP Database Server Bad Security Defaults in Mastra AI Frameworks Templates SQL Injection and Bypassing "Read-Only" Mode in Xata's MCP Server Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users How to Mitigate SQL Bypass in MCP Servers Enhancing MCP Server Security: A Guide to Using execFile Argument Injection Vulnerability in ggit How to Bypass Access Control in PostgreSQL in Simple PSQL MCP Server for SQL Injection Command Injection Flaws in ggit: Unveiling a Vulnerability Command Injection Vulnerability in Create MCP Server STDIO Tool Exposes System Monitoring Functions GitHub Kanban MCP Server Command Injection Vulnerability Threatens Developer Workflows Critical Command Injection Flaw in iOS Simulator MCP Server Exposes Development Environments Command Injection Vulnerability Discovered in Codehooks MCP Server: A Critical Security Analysis SSRF Shenanigans in safe-axios: Redirects Open the Backdoor SSRF Vulnerability in safe-axios: Unintended Public Address Classification Bypassing SSRF Safeguards in ssrfcheck: A Case of Incomplete Denylists Don't Be Fooled by Multicast, SSRF Bypass in private-ip Node.js Authentication from Lucia to Better Auth Bypassing SSRF Protection in nossrf: When Your Safeguards Become Loopholes Vue CLI Security Fix to Mitigate NPM Binary Planting Node.js API Security Vulnerabilities with Path Traversal in files-bucket-server Will You Accept These GPT 4o Secure Coding Recommendations? Command Injection Vulnerability in interactive-git-checkout npm package An Introduction to SSRF Bypasses and Denylist Failures Disclosing a Command Injection Vulnerability in `git-checkout-tool` Prisma Raw Query Leads to SQL Injection? Yes and No Flawed Git Promises Library on npm Leads to Command Injection Vulnerability Regex Gone Wrong: How parse-duration npm Package Can Crash Your Node.js App How I found an XSS in the Nuxt MDC Library for Markdown Content Holes in the Safety Net: Bypassing SSRF Protection in safe-axios How to Parse URLs from Markdown to HTML Securely? NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages Where to find npm vulnerabilities? How to Hunt for IDOR Vulnerabilities To Exploit Security Misconfiguration? How to Avoid JWT Security Mistakes in Node.js Can a Node.js Secure Code Review Find Future Vulnerabilities? The Okta bcrypt Security Incident and The Bun vs Node.js Angle in Secure By Design NodeJS Path Traversal Vulnerability Scanner Do not use secrets in environment variables and here's how to do it better How to use npm audit How to use yarn audit Raw SQL Queries are Actually Better for Security Than ORMs? Node API Security Is Node.js Secure? URL Regex Validation: what can go wrong? Uncovering a Prototype Pollution Regression in the core Node.js project Deno CLI Vulnerability Repeats npm mistakes: CVE-2024-37150 Security skills for JavaScript developers Understanding and Preventing Prototype Pollution in Node.js How to protect against a security breach in React Server Components IDOR Vulnerability: What is it and how to prevent it? The security vulnerability of serving images via a route as opposed to static middleware in Node.js Why is it considered a bad practice to write raw SQL commands? JS Security Concepts for JavaScript Developers Secure Coding Practices in Node.js Against Path Traversal Vulnerabilities Secure JavaScript Coding Practices Against Command Injection Vulnerabilities To IDOR or Not to IDOR: Insecure Direct Object Reference in JavaScript Applications Explained npm vulnerabilities: reviewing the security of your dependencies Disclosing code injection vulnerabilities in safe-eval-2 npm package Introducing Node.js Security Permissions Model, Threat Model, and Security Releases Common Node.js Security Issues and How to Mitigate Them How JavaScript developers should embrace npm security The XZ backdoor CVE-2024-3094: a JavaScript perspective Node.js Security Best Practices The Case for Node.js Secure Configuration Protecting Against Common Node.js Vulnerabilities Input Validation Security Best Practices for Node.js A Node.js Vulnerability Scanner to Avoid Security Risks of EOL Runtime Versions JavaScript Security Issues in Node.js Applications OWASP Node.js Authentication, Authorization and Cryptography Practices OWASP Node.js Best Practices Guide North Korea malware on npm and Ledger connect-kit crypto heist 10 Best Practices for Secure Code Review of Node.js code Node.js and OWASP Top Ten Command Injection: Don't Let Your App Go 'BOOM' Secure Code Review Tips to Defend Against Vulnerable Node.js Code Destroyed by Dashes: How Two Hyphens Cause Argument Injection Vulnerability in blamer npm Package Securing Your Node.js Apps by Analyzing Real-World Command Injection Examples An Introduction to Command Injection Vulnerabilities in Node.js and JavaScript
Secure JavaScript Coding to Avoid Insecure Direct Object References (IDOR)
2024-01-13 · via NodeJS Security & NodeJS Secure Coding's Blog

Insecure direct object references (IDOR) are an important web application security concept that every developer should understand. IDOR vulnerabilities allow attackers to access unauthorized data and functionality by manipulating object identifiers used in web applications. In this post, I’ll explain IDORs and provide examples to help you prevent these issues in your Node.js and JavaScript server-side applications.

What is an Insecure Direct Object Reference?

An insecure direct object reference occurs when a web application uses object identifiers directly to access backend database records or application functionality without any access control checks.

For example, consider a web app that displays user information based on the user ID passed in the URL, like this:

https://app.com/users?user_id=13579

You can also imagine a similar vulnerable Node.js app that uses the user ID to retrieve data from a database:

app.get('/users/:id', (req, res) => {

const user = db.users.find(req.params.id);

res.render('user', { user });

});

If the application doesn’t verify that the current user is authorized to view details for user 13579, an attacker could simply modify the user_id parameter to view other users’ private data.

This is known as an IDOR vulnerability and allows attackers to access unauthorized data. It can enable serious attacks like horizontal and vertical privilege escalation.

Real-World Example: @clerk/nextjs IDOR Vulnerability

IDOR vulnerabilities were recently discovered in popular JavaScript authentication library @clerk/nextjs. Versions between 4.7.0 and 4.29.3 were affected.

The issue was found in the auth() method used in Clerk’s Next.js router handlers and getAuth() method in page route handlers. These returned user authentication objects without properly verifying the calling user’s identity and permissions.

This could allow:

  • Unauthorized access if attackers could guess other user IDs
  • Privilege escalation by modifying the user ID to a higher privilege account

The methods assumed caller identity based only on the passed IDs without additional checks. By not verifying if callers were authorized to access other user data, the methods enabled IDOR attacks.

The vulnerability has been patched in @clerk/nextjs@4.29.3 by improving input validation and adding rate limiting protections.

This real-world vulnerability highlights why validating caller identity and permissions is critical when exposing user identifiers in applications and APIs.

As a JavaScript developer, be aware of this issue. Follow authorization best practices if your code exposes database record IDs or other sensitive object identifiers. Use framework protections where possible or implement your own access control checks in custom code.

To take your knowledge to the next level, be sure to check out my popular Secure Coding in Node.js book series.

More vulnerable IDOR Scenarios to consider

To better understand how IDOR issues can arise, consider these common examples:

Exposing record IDs in URLs:

https://app.com/record?id=1234

Attackers can modify ‘id’ to access other records.

Another use-case where IDORs pose a problem is by referencing user uploads on filesystem:

https://app.com/static/uploads/13579.png

The file name contains a user ID - attackers can access other users’ files. Or for example, imagine that the web application generates predictable URLs for user profile pictures based on user IDs.

Should I Use Sequential IDs in My Database?

Using sequential, auto-incrementing IDs in database tables is standard practice. However, as we saw above, these IDs can introduce security issues if used improperly in web applications.

Kent C. Dodds asked on Twitter:

Please give me one good reason to use serial/auto-incrementing number IDs in a database table.

— Kent C. Dodds 🌌 (@kentcdodds) January 13, 2024

So now you know:

  • You CAN use auto incrementing IDs as primary keys in database tables. They offer performance benefits and preserve data integrity.

  • You SHOULD NOT expose these unprotected IDs in client-facing applications. Instead, use authorization checks, access control lists, hashed IDs, or indirect reference maps to securely call data.

So sequential IDs themselves are not insecure - the vulnerability arises from directly exposing them to users, which many developers might do without realizing the security implications.

IDOR Prevention Tips

Here are some tips to avoid introducing IDOR issues in your web applications:

  • Leverage authorization frameworks and services - IDORs fall under the OWASP Top 10 category of Broken Access Control. Use authorization frameworks like Permit.io to implement access control checks and prevent unauthorized access.
  • Always implement access control checks - Verify if the current user has permission to access any requested objects on the server-side before returning data.
  • Hash IDs exposed to clients - Hash IDs before adding them to URLs or API responses users can access. This preserves back-end reference without exposing real IDs. In general, avoid exposing and basing any functionality on database IDs which are incremental in nature, and prefer UUIDs or other non-sequential identifiers.
  • Use indirect reference maps - Instead of numerical IDs, reference objects by less guessable UUIDs or other tokens. Map these to internal IDs on the server.

We see that IDOR issues commonly occur due to relying on predictable identifiers without verification. Be vigilant about adding authorization checks when exposing database keys or other identifiers.

I hope this gives you a solid understanding of insecure direct object reference vulnerabilities!