Does SmartClient / SmartGWT handle the "indirect object reference" vulnerability?
The concept is that if a user cannot see something in the app then they should not be able to reference it by ID in any way. For example...
- Given system has type Foo with 2 instances, "A" with ID 1 and "B" with ID 2.
- Given User Bob cannot see Foo A.
- User Bob should only see Foo B in an options list.
- AND a request from Bob to associate Foo with ID 1 should be denied.
I can imagine making a DMI that stores IDs for Foo in the user session as requested by Bob. Then a validator could assure only Foo IDs that have been given to Bob can be accepted from Bob. Is this a good approach or does the framework already have something like it?
Reference: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References
Thanks!
,Chris
SmartClient version: v9.0p_2013-07-11EVAL
The concept is that if a user cannot see something in the app then they should not be able to reference it by ID in any way. For example...
- Given system has type Foo with 2 instances, "A" with ID 1 and "B" with ID 2.
- Given User Bob cannot see Foo A.
- User Bob should only see Foo B in an options list.
- AND a request from Bob to associate Foo with ID 1 should be denied.
I can imagine making a DMI that stores IDs for Foo in the user session as requested by Bob. Then a validator could assure only Foo IDs that have been given to Bob can be accepted from Bob. Is this a good approach or does the framework already have something like it?
Reference: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References
Thanks!
,Chris
SmartClient version: v9.0p_2013-07-11EVAL
Comment