So first, we will see what Object Level Authorization is
Object Level Authorization is an access control mechanism that allows users to access the objects, resources, or data that they should have access to using the authorization token.
For example:
For example:
there are two users in a web application lets as user A with user ID 1 and user B with user ID 2, user A is allowed to access a file name user_a_profile_data.txt using its own authorization token, and user b is allowed to access a file named as user_a_profile_data.txt using its own authorization token by using the API endpoint
GET /api/userdata/<user_ID>
Host: <Host Name>
Authorization: Bearer <Token>
GET /api/userdata/<user_ID>
Host: <Host Name>
Authorization: Bearer <Token>
Now we will see what Broken Object Level Authorization is.
If the attacker is able to access or modify the data that they are not authorized by changing the ID parameter of the Object (can be any set of data like profile data, finance data, etc..), then it is a Broken Object Level Authorization vulnerability.Attackers can exploit this vulnerability to access the sensitive data that belongs to other users by using the ID of another user.
What is the root cause of Broken Object Level Authorization vulnerability?
The root cause of the vulnerability is at the code level because the application only relies on ID but does not validate whether the users have permission to access the object.What is the impact of Broken Object Level Authorization vulnerability?
The impact of this vulnerability is very high because it will allow the attackers to gain unauthorized access to data that can result in data disclosure to unauthorized parties, data loss, data manipulation, or unauthorized access to objects. This can also lead to a complete account takeover by the attacker.Now will see an example of Broken Object Level Authorization.
For this demo, first, we will create two users, user_A and user_BAPI Request and response for user_A registration
API request and response for user_B registration
Now we will log in using user_A credentials to get the authorization token for user_A
Now we will add a new book with a secret using the user_A authorization token
After adding a book with a secret using user_A credentials, log in using user_B credentials to get the authorization token for user_B
After login for user_B, we will use the user_B authorization token to get the secret stored by the user_A (ideally, user_B is not allowed to access the secret stored by the user_A)
And as we can see, user_B is able to see user_A secret by using his authorization token.
Remediations
- Implement a proper access control mechanism based on user policy
- Use an access mechanism to check whether the logged-in user has permission to perform the requested action on the object
- User unpredictable or random IDs or records