Avoid IDOR bugs PART II
As developers, we are responsible for the following:
- Write clean, understandable, and maintainable code.
- Make code that speaks for itself. //AKA no comments
- Naming
stuff👎 variables 👍 properly
Security-First Mindset
Let us try to keep at all times thinking like an attacker.
Parameterized Queries: When interacting with databases or file systems, parameterized queries and prepared statements usage help prevent injection vulnerabilities, which can indirectly lead to IDOR issues.
Context-Based Authorization: Consider the context of the user's actions and validate whether the request aligns with the user's role or privileges. Developers should avoid relying solely on client-side checks and perform server-side validation. It takes only a minute to stop and think about what this user is trying to accomplish. Let us create the habit of being security-conscious.
Test and Security Review: Conduct regular security assessments and code reviews to identify and address potential security flaws, vulnerabilities, and other security issues. Talk with your peers, ask questions, and most importantly take the initiative to put the question on the table.
Error Handling: Implement informative and user-friendly error messages to avoid revealing sensitive information that attackers could use to exploit flaws. Now, error codes are a valuable way to debug and to improve user experience, however, there are also extraordinary resources for hackers. Keep this in mind when writing your code.
Bugs will always be there, it is our job to spot them early on the application’s life cycle and contain them.
Take a moment to consider the task at hand. Stay alert and security-focused to identify issues early. Only takes a few minutes.
Happy bug-hunting!
References
Yaworski, P. (2019). Real-world bug hunting: A field guide to web hacking. No Starch Press.
Kohnfelder, Loren. (2022). Designing Secure Software : A Guide for Developers. No Starch Press.