How to Fix Insecure Direct Object Reference Vulnerability

Many times application references an object (files) to generate web pages. A simple example is when a user requests his mobile bill and the application fetches it from the server and displays on his screen. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw.

An attacker can easily manipulate parameter values and get access to other users details

If you must expose direct references to database structures, ensure that SQL statements and other database access methods only allow authorized records to be shown:

int cartID = Integer.parseInt( request.getParameter( "cartID" ) );
User user = (User)request.getSession().getAttribute( "user" );
String query = "SELECT * FROM table WHERE
     cartID=" + cartID + " AND userID=" + user.getID();

Also, OWASP’s ESAPI includes both sequential and random access reference maps that developers can use to eliminate direct object references.