API1:2019 Broken Object Level Authorization - OWASP API Security Top 10

Overview

Attackers can exploit API endpoints that are vulnerable to broken object level authorization by manipulating the ID of an object that is sent within the request. This may lead to unauthorized access to sensitive data. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access.

Description

API1:2019 Broken Object Level Authorization is a security weakness that allows attackers to manipulate the ID of an object in an API request, leading to unauthorized access to sensitive data. This is a common issue in API-based applications, as the server component often relies on object IDs sent from the client to determine which objects to access. Unauthorized access can result in data disclosure, data loss, data manipulation, or even full account takeover.

How to Prevent ?

To prevent API1:2019 Broken Object Level Authorization, the following measures can be implemented: 1. Implement a proper authorization mechanism that relies on user policies and hierarchy. 2. Use an authorization mechanism to check if the logged-in user has access to perform the requested action on the record. 3. Prefer using random and unpredictable values as GUIDs for record IDs. 4. Write tests to evaluate the authorization mechanism and ensure no vulnerable changes are deployed.

Example Attack Scenarios:

• Scenario #1:  An attacker identifies an e-commerce platform's API endpoint used for revenue data. By manipulating the shop names in the URL, the attacker gains unauthorized access to the sales data of multiple e-commerce stores.

• Scenario #2:  An attacker intercepts a wearable device's network traffic and modifies the X-User-Id header to gain unauthorized access to modify other users' account data.