3.4 KiB
Broken Object Property Level Authorization (API3:2023)
In this vulnerability, the attacker has the possibility of extracting or CRUD operations on the relevant methods due to the lack of checking the data models in the request and response. This issue is due to the inaccuracy of the validation of the access permission to the properties of the objects, and as a result, it causes the disclosure of information or disruption of requests.
- Example
A PUT
request to update an attribute of an item:
PUT /api/items/{item_id}
Body:
{
"name": "Updated Item Name",
"price": 10.99,
"is_available": true
}
Non-compliant code (.NET)
[Route("api/items")]
public class ItemController : ControllerBase
{
private readonly IItemService _itemService;
public ItemController(IItemService itemService)
{
_itemService = itemService;
}
[HttpGet("{itemId}")]
public IActionResult GetItem(int itemId)
{
// Retrieve the item from the database
Item item = _itemService.GetItem(itemId);
// Return the item without any authorization check
return Ok(item);
}
[HttpPut("{itemId}")]
public IActionResult UpdateItem(int itemId, [FromBody] Item
updatedItem)
{
// Retrieve the existing item from the database
Item existingItem = _itemService.GetItem(itemId);
// Update only the allowed properties
existingItem.Name = updatedItem.Name;
existingItem.Price = updatedItem.Price;
existingItem.IsAvailable = updatedItem.IsAvailable;
// Save the changes to the database
_itemService.UpdateItem(existingItem);
// Return a success response
return Ok();
}
// Other methods...
}
Compliant code (.NET)
[Route("api/items")]
public class ItemController : ControllerBase
{
private readonly IItemService _itemService;
public ItemController(IItemService itemService)
{
_itemService = itemService;
}
[HttpGet("{itemId}")]
public IActionResult GetItem(int itemId)
{
// Retrieve the item from the database
Item item = _itemService.GetItem(itemId);
// Check if the user is authorized to access the item
if (!IsUserAuthorized(item))
{
return Forbid();
}
// Return the item
return Ok(item);
}
[HttpPut("{itemId}")]
public IActionResult UpdateItem(int itemId, [FromBody] Item
updatedItem)
{
// Retrieve the existing item from the database
Item existingItem = _itemService.GetItem(itemId);
// Check if the user is authorized to update the item properties
if (!IsUserAuthorized)
}
}
General prevention suggestions:
-
When creating or updating objects, ensure that the property access permission is set to the correct level.
-
Validating users' input data and only accepting them if they have authorized access to the relevant features.
-
Using strong and secure mechanisms to determine and manage permissions and roles in the system, such as Role-Based Access Control (RBAC).
-
Limiting users' access to object features based on business needs and Least of Privilege principles
-
Perform regular security tests on APIs and systems to ensure that all required permissions and validations are properly implemented.