API1:2019 Broken Object Level Authorization


API1:2019 Broken Object Level Authorization

Threat agents/Attack vectorsSecurity WeaknessImpacts
API Specific : Exploitability 3Prevalence 3 : Detectability 2Technical 3 : Business Specific
Whenever a request contains an identifier, an attacker has a possibility of exploiting the endpoint by changing that identifier. For example: /index.php?userID=1 An attacker might change this to /index.php?userID=2 and see data that does not belong to the attacker. The reason this vulnerability is so common is because API-based applications often do not check the users' authorisation level while relying on object identifiers where they should not even have access to.This is the most common vulnerability on API endpoints. Modern applications are widespread and often consist of multiple integration points which makes authorisation a lot a harder. Even if a good security design is chosen and the organisation creates a good common authorisation framework, the developers might forget to implement the solution while creating or refactoring a feature with sensitive data. Typically we can not automate access control testing, which makes this vulnerability even more prevelant. Sensitive data might leak to users that are not authorised to view or edit that data. For example /index.php?id=1 might display the data of another user that the attacker is not allowed to see. The attacker might also manipulate the data, for example if they send a POST or a PUT request on an object that does not have proper access control. This issue so severe, it might even lead to a full account takeover, for example if an attacker can change the email address of another user, the attacker can reset the password and it will be sent to their inbox.

What is Broken Object Level Authorisation?

Broken Object Level Authorisation all starts with an object. Objects should be looked at in the context of "Object-Oriented Programming", what I mean by that is objects are the things you think about first in designing a program and they are also the units of code that are eventually derived from the process. This can be anything, ranging from an account to an invoice to a credit note and everything in between. Usually, these objects are marked with an identifier because we need to address these objects directly and this is where issues can arise because we need to always check if the user is allowed to access that object. This might seem simple at first but I can assure you it's not, more about that later in the "testing" section of this article.

A broken Object issue occurs when the server does not properly check if the currently logged-in user or if a logged-out user can read, update or delete an object to which they do not have the rights.

Two main types of Broken Object Level Authorization

There are two types of broken authorization on objects, these can occur because either a userID is passed on to the server or an object, we will look into both.

Based on user ID

Sometimes a userID is passed on to the server, this can happen when we request all the resources for a certain user for example:


If we replace the userID with someone else's userID, we should not be able to get the search history of other users but when a Broken Object Level Authorization issue arises, we can view the search history of other users.

This issue is simple to solve as a developer. We simply need to check if the currently logged-in user is allowed to access those objects. In this example, we need to check if the userID from the GET parameter is the same as the userID of the object's owner.

Psuedo code:

if($_GET['userID'] === object.ownerID){
	echo "You are not allowed to view this data"

This is the safest way to handle the exception, DO NOT USE THE FOLLOWING CODE AS IT IS NOT SAFE:

if(!$_GET['userID'] === object.ownerID){
	echo "You are not allowed to view this data"

The data does not get rendered because of the redirect but a simple push of the back button can still enable the data to be displayed

Based on object ID

This vulnerability type can also exist because objectID's are passed to the server when the server does not properly check if the user is authorized for that object. This can happen very easily for example when a developer needs to secure some resources and some not. They might forget to secure one of the objects which should be secured.

Example of an attack

Whatever type we are dealing with, some properties are the same across both.

These issues can arise more easily in two situations but of course, they can arise any time that a developer forgets to add authorization. We will zoom into two examples:

How to Detect and Prevent Broken Object Level Authorization


To detect these vulnerabilities we need to test read, update, and delete actions on all objects that we are not authorized for. We can do this in two ways:

Whatever approach we decide to take, it is vital that we check all objects and that we check them for reading, updating, and deleting actions. We need to check every functionality that has access to these objects, even if it's via a secondary route (for example importing products instead of adding them manually).


We can form some general tips for preventing Broken Object Level Authorization defects. These will help prevent the vulnerability or will lower the impact if one occurs.


Broken Object Level Authorization defects are becoming ever more prevalent as functionalities of applications increase and more and more APIs are built. This requires more and more ethical hackers as it can be a severe vulnerability and it can be very easy to notice, all someone has to do is replace a number in a request if the server has not been configured properly.

Every endpoint that handles objects and receives an ID should properly enforce Object Level Authorization. The Object Level Authorization should check that the user who is trying to read or manipulate an object has the correct authorization for it.

It is really important to have proper authorization checks are in place and we should always stop users from performing actions on objects they are not allowed to perform.