Broken Object Property Level Authorization
Test name: Broken Object Property Level Authorization
Test ID: bopla
| Summary |
|---|
The target application does not properly enforce access controls on individual properties of an object.
This allows attackers to view, modify, or delete specific properties they should not have access to, leading to unauthorized access to sensitive information or functionality.
| Impact |
|---|
- Privilege Escalation
- Unauthorized Access
- Bypass Protection Mechanisms
- Gain Privileges or Assume Identity
| Example |
|---|
Example 1:
In this scenario, an application allows users to register with an API that includes a property is_admin or is_verified without implementing proper security controls. This lack of control could let attackers escalate privileges by setting these flags themselves.
Malicious Request:
POST /api/register
Content-Type: application/json
{
"username": "newuser",
"password": "securepassword123",
"email": "[email protected]",
"is_verified": true,
"is_admin": true
}
Server Response:
HTTP/1.1 201 Created
Content-Type: application/json
{
"message": "User registered successfully.",
"user": {
"username": "newuser",
"is_verified": true,
"is_admin": true
}
}
In this case, the server does not validate whether the is_verified and is_admin properties are set by authorized personnel. This oversight allows any user to register as a verified user or even as an admin by simply adding these flags to the request.
Example 2:
In this scenario, a shopping application allows users to view product details and apply discounts during checkout. However, the application exposes a discount parameter in the API, enabling users to set arbitrary discount values without proper validation.
Original Request:
GET /api/products/567
Content-Type: application/json
Response:
{
"product_id": 567,
"name": "Wireless Earbuds",
"price": 100.00,
"discount": 0,
"final_price": 100.00
}
Here, the user views the product details with no discount applied, and the final_price reflects the original price.
Problematic POST Request to Apply a Discount at Checkout:
In this request, the user attempts to apply a discount. However, the server does not validate the discount value, allowing arbitrary discounts to be applied.
POST /api/checkout
Content-Type: application/json
{
"product_id": 567,
"quantity": 1,
"discount": 100,
"final_price": 00.00
}
Server Response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"message": "Discount applied successfully.",
"checkout_summary": {
"product_id": 567,
"quantity": 1,
"discount": 100,
"final_price": 00.00
}
}
The server accepts the client-supplied discount value without verification, allowing users to apply unauthorized discounts. A user could abuse this vulnerability to purchase items at a fraction of the original price.
| Location |
|---|
The issue can be found in the source code on the server side.
| Remedy suggestions |
|---|
-
Ensure that access control mechanisms are applied not only to objects but also to their individual properties.
-
Validate and sanitize all incoming data to prevent injection attacks.
-
Ensure that only authorized properties can be accessed or modified by users based on their roles.
-
Apply the principle of least privilege by granting users the minimum level of access necessary for their role. This reduces the risk of unauthorized access to sensitive properties.
-
Avoid using generic methods such as
tojson()andto_string(). Instead, cherry-pick specific object properties you specifically want to return. If possible, avoid using functions that automatically bind a client's input into code variables, internal objects, or object properties. -
Implement a schema-based response validation mechanism as an extra layer of security. As part of this mechanism, define and enforce data returned by all API methods.
| Classifications |
|---|
- CWE-915
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
| References |
|---|
Updated about 2 months ago