Direct Object Reference – URL tampering : Code Review

Before worrying about direct object reference issues first check that your controllers and actions are secured. Does every controller have [Authorize(XXX)] added to it? If not understand why Then for those controllers missing [Authorize(XXX)] check each action has [Authorize(XXX)] applied to it. Again if this is missing ask why is it missing? Does it make sense for the action […]