Donât Use Insecure Direct Object References
Applications often use names, identifiers, or keys of objects when generating web pages. Sometimes they forget to validate the userâs access to a specific object. This becomes a problem after validation when an authenticated user can still access objects that arenât supposed to be accessible. And they can do it by knowing or guessing the keys of other objects.
This is similar to the missing path validation issues we discussed earlier, except this applies to dynamically generated pages. Letâs look at an in-memory database, db, which stores the user data. Users can log in and see the data via the settings page on /settings/:id:
â | â// Middleware to validate that ... |
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.