© 2024 Prancer Enterprise
Blog
OWASP top 10 API Security vulnerabilities – Broken Object Level Authorization
Prancer
December 22, 2022
OWASP API Security Broken Object Level Authorization

Introduction

Broken Object Level Authorization refers to the risk of improper authorization controls in APIs, where API calls may allow unauthorized access to sensitive data or functionality. This can occur when API calls do not properly validate the permissions of the caller, or when permissions are not correctly enforced on the server side.

Risks

Some common risks associated with Broken Object Level Authorization include:
• Sensitive data being accessed or modified by unauthorized parties
• Unauthorized access to sensitive functionality, such as the ability to delete or modify data
• Elevation of privileges by unauthorized parties

Attack Scenarios

Attack scenarios for cloud applications may include:
• An attacker intercepts API calls and modifies the permissions of the caller to gain access to sensitive data or functionality
• An attacker uses a compromised account with higher permissions to access sensitive data or functionality
• An attacker exploits a vulnerability in the API to bypass authorization checks

Vulnerable Sample Code

A vulnerable sample of code in Go lang might look like this:


  // Get the user's ID from the request
  userID := r.Header.Get("X-User-ID")

  // Retrieve the data from the database
  data, err := database.GetData(userID)
  if err != nil {
    http.Error(w, "Error retrieving data", http.StatusInternalServerError)
    return
  }

  // Return the data to the user
  json.NewEncoder(w).Encode(data)
}

In this example, the API call retrieves data from a database based on the user’s ID, which is passed in the request header. However, there is no validation or authorization check to ensure that the user is authorized to access the data. An attacker could exploit this vulnerability by intercepting the API call and modifying the user ID to access data that they should not have access to.

Sample Attack

A sample attack payload using the curl command might look like this:

curl -H "X-User-ID: attacker_user_id" http://api.example.com/getdata

In this example, the attacker is using curl to send an API request with a modified user ID in the request header. If the API is vulnerable to Broken Object Level Authorization, the attacker may be able to access data that they should not have access to.

MITRE ATT&CK framework reference

Broken Object Level Authorization can be mapped to the Tactic: Privilege Escalation and the Techniques: Exploitation of Uncontrolled Linkage to a Third-party Domain, Uncontrolled Search Path Element in the MITRE ATT&CK framework. These techniques involve exploiting vulnerabilities in authorization controls to gain access to resources or functionality that the attacker should not have access to.

Mitigation

To mitigate the risk of Broken Object Level Authorization, organizations should ensure that they properly validate and enforce permissions on API calls. This may include implementing proper authentication and authorization controls, as well as regularly reviewing and testing the security of their API implementations. Additionally, organizations should ensure that they are properly logging and monitoring API activity to detect and respond to any unauthorized access or manipulation of sensitive data or functionality.

Download API Security whitepaper

Our in-depth whitepaper provides valuable insights into how Prancer Security’s cutting-edge solution mitigates critical risks such as unauthorized access and data breaches, while adhering to the highest security standards.

Don’t leave your API security to chance – download our comprehensive whitepaper now and discover how Prancer Security can safeguard your organization from potential threats!