Skip to content

Latest commit

 

History

History
195 lines (90 loc) · 2.71 KB

Secure Coding - Broken Object Level Authorization.md

File metadata and controls

195 lines (90 loc) · 2.71 KB

Broken Object Level Authorization (API1:2023)

This vulnerability occurs due to the failure to check the permission to access resources and objects, and through it, the attacker can access the resources and data of user groups and the system. Object-level access permission checks should be considered in any function that accesses a data source using an identifier from the user.

  • Example

GET request to get details of a product with product ID:

GET /api/products/{product_id}

Non-compliant Code (.NET):

// Non-compliant code
public class UserController : ApiController
{
  [HttpGet]
  public User GetUser(int userId)
  {
    User user = UserRepository.GetUserById(userId);
    return user;
  }
  [HttpPut]
  public IHttpActionResult UpdateUser(User user)
  {
    UserRepository.UpdateUser(user);
    return Ok();
  }
}

Compliant Code (.NET):

// Compliant code
public class UserController : ApiController
{
  [HttpGet]
  [Authorize(Roles = "Admin")]
  public User GetUser(int userId)
  {
    User user = UserRepository.GetUserById(userId);
    return user;
  }
  [HttpPut]
  [Authorize(Roles = "Admin")]
  public IHttpActionResult UpdateUser(User user)
  {
    UserRepository.UpdateUser(user);
    return Ok();
  }
}

Non-compliant Code (Java):

// Non-compliant code
@RestController
public class UserController {

  @GetMapping("/users/{userId}")
  public User getUser(@PathVariable int userId) {
    User user = UserRepository.getUserById(userId);
    return user;
  }

  @PutMapping("/users/{userId}")
  public ResponseEntity<?> updateUser(@PathVariable int userId,
@RequestBody User user) {

    UserRepository.updateUser(user);
    return ResponseEntity.ok().build();
  }
}

Compliant Code (Java):

// Compliant code
public class UserController : ApiController
{
  [HttpGet]
  [Authorize(Roles = "Admin")]
  public User GetUser(int userId)
  {
    User user = UserRepository.GetUserById(userId);
    return user;
  }

  [HttpPut]
  [Authorize(Roles = "Admin")]
  public IHttpActionResult UpdateUser(User user)
  {
    UserRepository.UpdateUser(user);
    return Ok();
  }
}

General prevention suggestions:

  • In any function that accesses a data source using a user ID, consider the necessary checks for object-level access permissions. Make sure the user is authorized to access this resource.

  • Use authentication of credentials and permissions on every request. Make sure that the user attempting to access a particular object is authorized to do so.

  • Protect how user IDs are sent in requests. Use secure methods for transferring and storing credentials, such as using authentication tokens.