From e55912bc5021b6f6b25cf9c1cd136b79087b27cc Mon Sep 17 00:00:00 2001 From: Mehdi Date: Sun, 10 Dec 2023 15:14:34 +0330 Subject: [PATCH] Create Secure Coding - Broken Function Level Authorization.md --- ...g - Broken Function Level Authorization.md | 210 ++++++++++++++++++ 1 file changed, 210 insertions(+) create mode 100644 Secure Coding - Broken Function Level Authorization.md diff --git a/Secure Coding - Broken Function Level Authorization.md b/Secure Coding - Broken Function Level Authorization.md new file mode 100644 index 0000000..580387f --- /dev/null +++ b/Secure Coding - Broken Function Level Authorization.md @@ -0,0 +1,210 @@ +# Broken Function Level Authorization (API5:2023) +By not verifying the access control policies with the access hierarchy, the attacker has the possibility to call and execute unauthorized requests from the authorized Endpoint to access the resources of other users and/or access management functions. + +* Example + +`DELETE` request to delete a comment with comment ID: + +```html +DELETE /api/comments/{comment_id} +``` + +### Non-compliant code (.NET) +```c# +[ApiController] +[Route("api/data")] +public class DataController : ControllerBase +{ + private readonly DataService _dataService; + + public DataController(DataService dataService) + { + _dataService = dataService; + } + + [HttpGet] + public IActionResult GetData() + { + // Get data from the service + var data = _dataService.GetData(); + // Return the data + return Ok(data); + } + + [HttpPost] + public IActionResult UpdateData(DataModel data) + { + // Update the data using the service + _dataService.UpdateData(data); + // Return success response + return Ok("Data updated successfully"); + } + // Other methods... +} +``` + + +### Compliant code (.NET) +```c# +[ApiController] +[Route("api/data")] +[Authorize] +public class DataController : ControllerBase +{ + private readonly DataService _dataService; + + public DataController(DataService dataService) + { + _dataService = dataService; + } + + [HttpGet] + [Authorize(Roles = "ReadAccess")] + public IActionResult GetData() + { + // Get the user's identity + var identity = HttpContext.User.Identity as ClaimsIdentity; + + // Get the user's role + var role = identity.FindFirst(ClaimTypes.Role)?.Value; + + // Check if the user has the required role for reading data + if (role != "ReadAccess") + { + return Forbid(); // Return 403 Forbidden if the user is not authorized + } + + // Get data from the service + var data = _dataService.GetData(); + + // Return the data + return Ok(data); + } + [HttpPost] + [Authorize(Roles = "WriteAccess")] + public IActionResult UpdateData(DataModel data) + { + // Get the user's identity + var identity = HttpContext.User.Identity as ClaimsIdentity; + + // Get the user's role + var role = identity.FindFirst(ClaimTypes.Role)?.Value; + + // Check if the user has the required role for updating data + if (role != "WriteAccess") + { + return Forbid(); // Return 403 Forbidden if the user is not authorized + } + // Update the data using the service + _dataService.UpdateData(data); + + // Return success response + return Ok("Data updated successfully"); + } + + // Other methods... +} +``` + +## General prevention suggestions: +* Full validation on each API function based on access levels and user roles. + +* Using multi-level access permission systems and applying access levels to different resources. + +* Proper separation between management and normal functions and applying appropriate access policies for each. + +* Checking permissions on each function and validating user access at runtime. + +* Using user access management frameworks and libraries and implementing more complex access policies such as Based-Role Access Control (RBAC) or Attribute-Based Access Control (ABAC). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +