Deny Rule Group – (default) Insecure Direct Object Reference in Parameter Value

IDOR_PARAM_VALUE

  • The group contains insecure direct object reference deny rules and file inclusion deny rules for parameter values.
  • The security level Basic prevents directory traversal and injection of certain critical files (e.g. /etc/passwd).
  • The security level Standard prevents injection of known top level directory paths (e.g. /etc/) and critical protocol schemes (e.g. "php://).
  • The security level Strict further prevents injection of file paths with critical suffixes (e.g. .exe) any absolute Windows and UNIX directory path, any protocol scheme or path in universal naming convention format.

Included Deny Rules

Rule name

Basic

Standard

Strict

(default 07) Value directory traversal rule

(default DOR_002a) Absolute UNIX path - known top level directory in parameter value

Icon - ON

Icon - ON

(default DOR_003a) Absolute UNIX path - environment variables in parameter value

Icon - ON

Icon - ON

(default DOR_004a) Absolute UNIX path - critical system files in parameter value

Icon - ON

(default DOR_005a) Critical application files in parameter value

Icon - ON

Icon - ON

(default DOR_006a) Absolute UNIX path - critical application files in parameter value

Icon - ON

(default DOR_008a) Universal Naming Convention in parameter value

Icon - ON

(default DOR_009a) Absolute Windows path - common top level directories in parameter value

Icon - ON

Icon - ON

(default DOR_010a) Directory traversal for Windows and UNIX in parameter value

Icon - ON

Icon - ON

Icon - ON

(default DOR_011a) Critical file suffixes in parameter value

Icon - ON

(default DOR_013a) Critical protocol schemes in parameter value

Icon - ON

(default DOR_014a) Protocol scheme in parameter value

Icon - ON

(default DOR_015a) Directory traversal or absolute path as parameter in URL in parameter value

Icon - ON

Icon - ON