Add code to prevent users from directly accessing content which should not be visible to the public and prevent an IDOR vulnerability in our content management system.
- [Instructor] In the last movie, we learned…about insecure direct object reference,…and we saw that our page content is vulnerable.…In this movie, we're going to fix it.…You'll recall the problem was that we're able…to craft a URL that had id equals one,…and our application still returns the page content…for that page that should be hidden.…It should be not visible, but it still returns that to us.…Even though it's not in the navigation anywhere.…We suppressed it from the navigation,…but we still were able to make…a direct object reference to it, and it's not secure.…
We should be hiding it.…The solution to that is simply to go in…and find the code that's being called.…Here you see we're calling find page by id…in order to find that page.…We pass in an id, called find page id.…It doesn't do any kind of checking for visibility.…What we want is to take this option that we pass in…down here, and add it up here as well.…So find page id will also call visibility true.…Now we put after the page id…because the id is actually required.…
- Creating a content management system
- Building dynamic content navigation
- Using context and function options for conditional behavior
- Hiding content from the public view
- Insecure direct object reference
- Allowing HTML in dynamic content
- Previewing content in the public context
- Working with cookies and sessions
- Storing status messages in the session
- Secure user authentication (login/logout)
- Regulating page access
- Nesting related resources
- Managing an ordered list automatically
Skill Level Beginner
1. Create a Content Management System
2. Build Dynamic Content Navigation
3. Use Context and Options
4. Cookies and Sessions
5. Regulate Page Access
6. Nesting Related Resources
Next steps1m 15s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.