>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

API3Broken Object Property Level Authorization

>Control Description

This category combines API3:2019 Excessive Data Exposure and API6:2019 Mass Assignment, focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties. An API endpoint is vulnerable if it exposes properties of an object that are considered sensitive and should not be read by the user, or if it allows a user to change, add, or delete the value of a sensitive object's property which the user should not be able to access.

>Prevention & Mitigation Strategies

  1. 1.When exposing an object using an API endpoint, always make sure that the user should have access to the object's properties you expose.
  2. 2.Avoid using generic methods such as to_json() and to_string(). Instead, cherry-pick the specific object properties you want to return.
  3. 3.If possible, avoid using functions that automatically bind a client's input into code variables, internal objects, or object properties (Mass Assignment).
  4. 4.Allow changes only to the object's properties that should be updated by the client.
  5. 5.Implement a schema-based response validation mechanism as an extra layer of security. As part of this mechanism, define and enforce data returned by all API methods.
  6. 6.Keep returned data structures to the bare minimum, according to the business/functional requirements for the endpoint.

>Attack Scenarios

#1Dating app sensitive data exposure

A user of a dating application reports another user for inappropriate behavior. The reporting endpoint includes the reported user's profile data in the response. By inspecting the API traffic, the attacker discovers sensitive properties such as fullName and recentLocation are exposed in the response, which should not be visible to the reporting user.

#2Marketplace price manipulation via mass assignment

An online marketplace host intercepts the API request when approving a booking. The host adds the total_stay_price property to the request body, manipulating the guest's charge to a higher amount. Because the API does not validate which properties can be modified by the host, the inflated price is accepted.

#3Social network content unblocking

A social network allows users to upload short videos. A user notices that blocked content includes a property 'blocked': true. The user replays the content upload request and adds 'blocked': false to the request body. Because the API does not enforce property-level authorization, the previously blocked content is now published.

>Related CWEs

CWE-213
CWE-915

>References

Ask AI

Configure your API key to use AI features.