🔐 Broken Object Property Level Authorization – API3:2023 🚨

Here is the third one: Broken Object Property Level Authorization

APIs expose objects, but not all properties should be accessible to every user. When APIs fail to enforce proper authorization at the property level, sensitive data can be leaked or modified.

📌 What is Broken Object Property Level Authorization?

This vulnerability occurs when:

APIs expose sensitive properties (e.g., admin flags, passwords 🔑).

• Users can access or modify restricted fields in API requests.
• Client-side controls are relied upon instead of server-side validation.

⚠️ How Does It Happen?

🚫 Overexposed API responses – The API returns more data than a user should see.

🚫 Client-side trust issues – Hidden fields in the UI but accessible via API.

🚫 Insufficient request validation – Attackers modify JSON payloads to update restricted fields.

🎯 Example Attack:

1️⃣ A user sends a request:

{ "username": "user123", "role": "user" }

2️⃣ The attacker modifies the request:

{ "username": "user123", "role": "admin" }

3️⃣ If the API lacks property-level authorization, the attacker grants themselves admin access! 🎭

🔍 Real-World Risks:

✅ Exposing PII (Personally Identifiable Information) 📄

✅ Allowing privilege escalation 🏴☠️

✅ Leaking internal system details 🛠️

🛡️ How to Prevent It?

🔸 Enforce authorization at the property level – Limit exposure of sensitive fields.

🔸 Use allowlists for API responses – Return only necessary fields.

🔸 Validate input on the server – Prevent unauthorized property modifications.

🔸 Follow the principle of least privilege – Restrict API access based on user roles.

#APISecurity #OWASP #CyberSecurity #SecureCoding #Authorization

• API3:2019 Excessive Data Exposure - OWASP API Security Top 10 2019
• API6:2019 - Mass Assignment - OWASP API Security Top 10 2019
• Mass Assignment Cheat Sheet
• CWE-213: Exposure of Sensitive Information Due to Incompatible Policies
• CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes