API1:2023 - Broken Object Level Authorization

Introduction

Broken Object Level Authorization is the most common and impactful API vulnerability. It occurs when applications expose endpoints that handle object identifiers and fail to properly check if the user is authorized to access the object. For example, changing the userID in a request like /user/profile?userID=123 to another valid userID may reveal data that does not belong to the attacker.

Threat Agents / Attack Vectors

Any attacker who is aware of object IDs or user IDs within the application can attempt to modify them in requests. APIs that use predictable or sequential object identifiers are especially vulnerable.

Security Weakness

Developers often forget to add proper authorization checks to each object-level access function, especially in complex applications where features are developed rapidly and authorization logic is decentralized.

Impacts

Sensitive data exposure, account manipulation, and potentially full account takeover. If an attacker can change object attributes such as email addresses, they may reset credentials to take control of accounts.

Example of an Attack

Imagine a GET request: /product?id=1001. If the server fails to check whether the authenticated user owns product 1001, an attacker can retrieve or manipulate products they don't own. A common oversight is forgetting these checks when integrating new features like bulk import.

Example 1 - Unauthorized Access:

GET /api/user/12345

Attacker changes 12345 to another user's ID

GET /api/user/67890

If the server does not check access rights, attacker sees another user's data

Example 2 - Update without Authorization:

POST /api/product/update

Body: { "id": 5, "price": 99.99 }

If the user does not own product ID 5 and there's no check, this leads to unauthorized changes.