Insecure Direct Object References and Search Engines
https://stackoverflow.com/questions/4374915
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
According to OWASP Top 10 List one way to prevent insecure direct object references is to provide only indirect references. These are artificial references that are mapped to the direct (e.g. DB) references on the server. The mapping is stored in the session.
Unfortunately, this solution is not very search engine friendly. The links stored by the crawler would be invalid in another session.
Is there a way around this problem? Are there other solutions apart from mapping references or checking object access?
Solution
You are describing a problem that doesn't exist :-)
Everything that a search engine must be able to crawl and see has to be public, because everything a search engine can see, can be seen by everybody. For data that is expected to be public -by definition- the object reference can never be insecure. Insecure means that it is supposed to be protected.
So if you are questioning this, take a step back and look closely at your data. If it must be crawlable, why are you trying to protect it? If it should be protected, why are you supplying it to search engines.
