diff --git a/Secure Coding - Broken Object Property Level Authorization.md b/Secure Coding - Broken Object Property Level Authorization.md new file mode 100644 index 0000000..8930544 --- /dev/null +++ b/Secure Coding - Broken Object Property Level Authorization.md @@ -0,0 +1,203 @@ +# Broken Object Property Level Authorization (API3:2023) +In this vulnerability, the attacker has the possibility of extracting or CRUD operations on the relevant methods due to the lack of checking the data models in the request and response. +This issue is due to the inaccuracy of the validation of the access permission to the properties of the objects, and as a result, it causes the disclosure of information or disruption of requests. + +* Example + +A `PUT` request to update an attribute of an item: + +```html +PUT /api/items/{item_id} + +Body: +{ + "name": "Updated Item Name", + "price": 10.99, + "is_available": true +} +``` + +### Non-compliant code (.NET) +```c# +[Route("api/items")] +public class ItemController : ControllerBase +{ + private readonly IItemService _itemService; + + public ItemController(IItemService itemService) + { + _itemService = itemService; + } + + [HttpGet("{itemId}")] + public IActionResult GetItem(int itemId) + { + // Retrieve the item from the database + Item item = _itemService.GetItem(itemId); + + // Return the item without any authorization check + return Ok(item); + } + + [HttpPut("{itemId}")] + public IActionResult UpdateItem(int itemId, [FromBody] Item + updatedItem) + { + // Retrieve the existing item from the database + Item existingItem = _itemService.GetItem(itemId); + // Update only the allowed properties + existingItem.Name = updatedItem.Name; + existingItem.Price = updatedItem.Price; + existingItem.IsAvailable = updatedItem.IsAvailable; + // Save the changes to the database + _itemService.UpdateItem(existingItem); + // Return a success response + return Ok(); + } + // Other methods... +} +``` + +### Compliant code (.NET) +```c# +[Route("api/items")] +public class ItemController : ControllerBase +{ + private readonly IItemService _itemService; + + public ItemController(IItemService itemService) + { + _itemService = itemService; + } + + [HttpGet("{itemId}")] + public IActionResult GetItem(int itemId) + { + // Retrieve the item from the database + Item item = _itemService.GetItem(itemId); + + // Check if the user is authorized to access the item + if (!IsUserAuthorized(item)) + { + return Forbid(); + } + + // Return the item + return Ok(item); + } + + [HttpPut("{itemId}")] + public IActionResult UpdateItem(int itemId, [FromBody] Item + updatedItem) + { + // Retrieve the existing item from the database + Item existingItem = _itemService.GetItem(itemId); + + // Check if the user is authorized to update the item properties + if (!IsUserAuthorized) + } +} +``` + +## General prevention suggestions: +* When creating or updating objects, ensure that the property access permission is set to the correct level. + +* Validating users' input data and only accepting them if they have authorized access to the relevant features. + +* Using strong and secure mechanisms to determine and manage permissions and roles in the system, such as Role-Based Access Control (RBAC). + +* Limiting users' access to object features based on business needs and Least of Privilege principles + +* Perform regular security tests on APIs and systems to ensure that all required permissions and validations are properly implemented. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +