Details
Alert Id 10057
Alert Type Passive
Status release
Risk Informational
CWE 284
WASC 2
Tags OWASP_2017_A05
OWASP_2021_A01
WSTG-V42-ATHZ-04

Summary

A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused.

Solution

Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object.

References

Code

org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java