Return to site

๐Ÿ” Broken Object Property Level Authorization โ€“ API3:2023 ๐Ÿšจ

March 12, 2025

I'm kicking off a

series of articles on API Security

๐Ÿ” to help usโ€”

developers

๐Ÿ‘จ๐Ÿ’ป๐Ÿ‘ฉ๐Ÿ’ปโ€”better understand and implement

secure coding

in our software design. ๐Ÿ›ก๏ธ


Here is the third one: Broken Object Property Level Authorization


APIs expose objects, but not all properties should be accessible to every user. When APIs fail to enforce proper authorization at the property level, sensitive data can be leaked or modified.


๐Ÿ“Œ What is Broken Object Property Level Authorization?

This vulnerability occurs when:

APIs expose sensitive properties (e.g., admin flags, passwords ๐Ÿ”‘).

  • Users can access or modify restricted fields in API requests.
  • Client-side controls are relied upon instead of server-side validation.

โš ๏ธ How Does It Happen?

๐Ÿšซ Overexposed API responses โ€“ The API returns more data than a user should see.

๐Ÿšซ Client-side trust issues โ€“ Hidden fields in the UI but accessible via API.

๐Ÿšซ Insufficient request validation โ€“ Attackers modify JSON payloads to update restricted fields.


๐ŸŽฏ Example Attack:

1๏ธโƒฃ A user sends a request:

{ "username": "user123", "role": "user" }

2๏ธโƒฃ The attacker modifies the request:

{ "username": "user123", "role": "admin" }

3๏ธโƒฃ If the API lacks property-level authorization, the attacker grants themselves admin access! ๐ŸŽญ


๐Ÿ” Real-World Risks:

โœ… Exposing PII (Personally Identifiable Information) ๐Ÿ“„

โœ… Allowing privilege escalation ๐Ÿดโ˜ ๏ธ

โœ… Leaking internal system details ๐Ÿ› ๏ธ


๐Ÿ›ก๏ธ How to Prevent It?

๐Ÿ”ธ Enforce authorization at the property level โ€“ Limit exposure of sensitive fields.

๐Ÿ”ธ Use allowlists for API responses โ€“ Return only necessary fields.

๐Ÿ”ธ Validate input on the server โ€“ Prevent unauthorized property modifications.

๐Ÿ”ธ Follow the principle of least privilege โ€“ Restrict API access based on user roles.


๐Ÿš€ Security isnโ€™t just about endpoints; itโ€™s about whatโ€™s inside the data!

#APISecurity #OWASP #CyberSecurity #SecureCoding #Authorization