API1:2023 Broken Object Level Authorization - OWASP API Security Top 10
API1:2023 Broken Object Level Authorization is a security risk in API endpoints vulnerable to object ID manipulation, allowing unauthorized access to users' objects and data disclosure.
Overview
This JSON response provides information about API1:2023 Broken Object Level Authorization, which is one of the Top 10 API Security Risks according to OWASP. It covers the threat agents, attack vectors, security weakness, impacts, vulnerability assessment, example attack scenarios, prevention measures, and references.
Description
API1:2023 Broken Object Level Authorization is a security risk found in API endpoints that are vulnerable to manipulation of object IDs. Attackers can exploit this vulnerability by changing the ID of an object within the request to gain unauthorized access to other users' objects. This can lead to data disclosure, loss, manipulation, and even full account takeover.
How to Prevent ?
To prevent API1:2023 Broken Object Level Authorization, it is recommended to implement a proper authorization mechanism that checks whether the logged-in user has permissions to access and perform actions on the requested object. Random and unpredictable values should be used as object IDs, and tests should be conducted to evaluate the vulnerability of the authorization mechanism.
Example Attack Scenarios:
Scenario #1: E-commerce Platform Revenue Data Exposure: An attacker discovers that an e-commerce platform exposes revenue data through API endpoints that follow a predictable pattern. By manipulating the shop names in the URL, the attacker gains unauthorized access to sales data of multiple e-commerce stores.
Scenario #2: Remote Control of Vehicles: A mobile API for remote control of vehicles fails to validate if the Vehicle Identification Number (VIN) belongs to the logged-in user. This allows an attacker to control vehicles that do not belong to them.
Scenario #3: Document Deletion without Permission Checks: An online document storage service allows users to delete their documents through a GraphQL mutation. However, the deletion is performed without any permission checks, enabling a user to delete another user's document.