/Code Review/Direct Object Reference in API

Direct Object Reference in API

API endpoint exposes internal object IDs without access control.

HIGHEasy

Vulnerable Codejavascript

1app.get('/api/invoice/:id', async (req, res) => {
2    const invoice = await Invoice.findById(req.params.id);
3    res.json(invoice);
4});

Understanding the Issue

The API returns any invoice by ID without checking if the requesting user should have access. Attackers can enumerate invoice IDs to access confidential business data.

Invoice Enumeration

Attacker iterates through invoice IDs to steal business data

Malicious Input

GET /api/invoice/INV-0001
GET /api/invoice/INV-0002
GET /api/invoice/INV-0003

Impact

✓ Access to all invoices in system
✓ Competitor pricing exposed
✓ Customer lists leaked

Technical Details

Vulnerability Type: Insecure Direct Object Reference
Severity: HIGH
Language: Javascript
CWE: CWE-639
OWASP: A01:2021 - Broken Access Control

Direct Object Reference in API

Understanding the Issue

How Attackers Exploit This

Invoice Enumeration

Finding the Vulnerability(3 hints)

Technical Details

Direct Object Reference in API

Understanding the Issue

How Attackers Exploit This

Invoice Enumeration

Finding the Vulnerability(3 hints)

Technical Details