>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

API1Broken Object Level Authorization

>Control Description

Object-level authorization is an access control mechanism usually implemented at the code level to validate that a user can only access objects that they should have permission to access. Every API endpoint that receives an ID of an object and performs any action on the object should implement object-level authorization checks. The checks should validate that the logged-in user has permissions to perform the requested action on the requested object. Failures in this mechanism typically lead to unauthorized information disclosure, modification, or destruction of all data.

>Prevention & Mitigation Strategies

  1. 1.Implement a proper authorization mechanism that relies on the user policies and hierarchy.
  2. 2.Use the authorization mechanism to check if the logged-in user has access to perform the requested action on the record in every function that uses an input from the client to access a record in the database.
  3. 3.Prefer the use of random and unpredictable values as GUIDs for records' IDs.
  4. 4.Write tests to evaluate the vulnerability of the authorization mechanism. Do not deploy changes that make the tests fail.

>Attack Scenarios

#1E-commerce revenue data exposure

An e-commerce platform for online stores provides a listing page with revenue charts for hosted shops. Inspecting browser requests, an attacker identifies the API endpoints used as a data source for those charts and their pattern: /shops/{shopName}/revenue_data.json. Using another API endpoint, the attacker gets the list of all hosted shop names. With a simple script, the attacker gains access to the sales data of thousands of online stores by manipulating the shop name in the URL.

#2Vehicle remote control via VIN manipulation

An automobile manufacturer has enabled remote control of its vehicles via a mobile API for the driver. The API enables the driver to remotely start and stop the engine and lock and unlock the doors. As part of this flow, the user sends the Vehicle Identification Number (VIN) to the API. The API fails to validate that the VIN represents a vehicle that belongs to the logged-in user, which leads to a BOLA vulnerability. An attacker can access vehicles that don't belong to them.

#3Document deletion without ownership check

An online document storage service allows users to view, edit, store, and delete their documents. When a user's document is deleted, a GraphQL mutation with the document ID is sent to the API. Since the API does not perform any further permission checks, a user is able to delete another user's document.

>Related CWEs

CWE-285
CWE-639

>References

Ask AI

Configure your API key to use AI features.