OWASP API Security Top 10 API1:2019 Broken Object Level Authorization with Example

bySahil Gupta -


In the blog, we will see all about OWASP API Top 10 API1:2019 Broken Object Level Authorization and understand what is Object Level Authorization, Broken Object Level Authorization and understand it using an example.


So first, we will see what Object Level Authorization is

Object Level Authorization is an access control mechanism that allows users to access the objects, resources, or data that they should have access to using the authorization token.

For example: 
there are two users in a web application lets as user A with user ID 1 and user B with user ID 2, user A is allowed to access a file name user_a_profile_data.txt using its own authorization token, and user b is allowed to access a file named as user_a_profile_data.txt using its own authorization token by using the API endpoint

GET /api/userdata/<user_ID>
Host: <Host Name>
Authorization: Bearer <Token>



Now we will see what Broken Object Level Authorization is.

If the attacker is able to access or modify the data that they are not authorized by changing the ID parameter of the Object (can be any set of data like profile data, finance data, etc..), then it is a Broken Object Level Authorization vulnerability.

Attackers can exploit this vulnerability to access the sensitive data that belongs to other users by using the ID of another user.


What is the root cause of Broken Object Level Authorization vulnerability?

The root cause of the vulnerability is at the code level because the application only relies on ID but does not validate whether the users have permission to access the object.


What is the impact of Broken Object Level Authorization vulnerability?

The impact of this vulnerability is very high because it will allow the attackers to gain unauthorized access to data that can result in data disclosure to unauthorized parties, data loss, data manipulation, or unauthorized access to objects. This can also lead to a complete account takeover by the attacker.


Now will see an example of Broken Object Level Authorization.

For this demo, first, we will create two users, user_A and user_B

API Request and response for user_A registration




API request and response for user_B registration


Now we will log in using user_A credentials to get the authorization token for user_A


Now we will add a new book with a secret using the user_A authorization token




After adding a book with a secret using user_A credentials, log in using user_B credentials to get the authorization token for user_B



After login for user_B, we will use the user_B authorization token to get the secret stored by the user_A (ideally, user_B is not allowed to access the secret stored by the user_A)


And as we can see, user_B is able to see user_A secret by using his authorization token.


Remediations

  • Implement a proper access control mechanism based on user policy
  • Use an access mechanism to check whether the logged-in user has permission to perform the requested action on the object
  • User unpredictable or random IDs or records
Tags:

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post
Share to other apps
Copy Post link

Contact Form