API3:2023 Broken Object Property Level Authorization - OWASP API Security Top 10
API3:2023 Broken Object Property Level Authorization is a top API security risk. Learn how to prevent unauthorized access to sensitive data properties.
Overview
API3:2023 Broken Object Property Level Authorization is one of the top 10 API security risks identified by OWASP. It refers to the vulnerability in APIs where sensitive object properties are exposed or can be manipulated by unauthorized users.
Description
APIs tend to expose endpoints that return all object’s properties. This is particularly valid for REST APIs. For other protocols such as GraphQL, it may require crafted requests to specify which properties should be returned. Identifying these additional properties that can be manipulated requires more effort, but there are a few automated tools available to assist in this task. Unauthorized access to private/sensitive object properties may result in data disclosure, data loss, or data corruption. Under certain circumstances, unauthorized access to object properties can lead to privilege escalation or partial/full account takeover.
How to Prevent ?
To prevent this vulnerability, it is important to validate that the user has access to the specific object properties they are trying to access. API endpoints should validate that sensitive object properties are not exposed or manipulated by unauthorized users. Specific prevention measures include:
Example Attack Scenarios:
Scenario #1: A dating app allows a user to report other users for inappropriate behavior. The API endpoint used for reporting allows the authenticated user to have access to sensitive (reported) user object properties that are not supposed to be accessed by other users.
Scenario #2: An online marketplace platform requires hosts to accept a booking made by a guest before charging them for the stay. The API endpoint used for approving bookings does not validate if the host has access to the internal object property for the total stay price, allowing the host to charge the guest more than intended.
Scenario #3: A social network based on short videos enforces content filtering and censorship. The API endpoint used for updating video descriptions does not validate if the user has access to the internal object property for blocking videos, allowing the user to unlock their own blocked content.