Previously developers used the sequential number as userID such as 699,700, 7001 and so on. So all an attacker had to do was either subtract or add ''1" to the current userID the attacker had access to, nowadays a web application has become smarter and doesn't fall for these tricks anymore. APIs are very similar to what I explained above, you can intercept an API request and change the value of the parameters and then send it to the server.
Understanding Authorization and Authentication
Authentication and Authorization are two important security concepts that are commonly used in software systems.
Authentication refers to the process of verifying the identity of a user or an entity attempting to access a system or resource. It answers the question "Who are you?" and establishes the identity of a user. In simple terms, authentication is the process of validating the credentials of a user.
Authorization, on the other hand, is the process of determining whether a user that has been authenticated has the right or permission to access a specific resource or perform a specific operation. It answers the question "What are you allowed to do?" and establishes what a user is authorized to access, modify or perform. In other words, authorization is the process of granting or denying access based on the permissions assigned to a user.
To illustrate the difference between the two concepts, imagine you are attempting to enter a restricted area. You would first be required to authenticate yourself by presenting identification such as a badge, ID card or passport. If your identity is verified, you would then be authorized to enter the area based on the permissions assigned to you, for example, if you have been assigned rights to access that area.
In software systems, authentication is typically done using a username and password combination, or through other mechanisms like biometrics and multi-factor authentication. Authorization is usually based on predefined roles and permissions that have been assigned to a user, as well as the type of resource they are trying to access.
In summary, Authentication establishes the identity of a user, whereas Authorization determines what actions a user is allowed to perform based on their identity. Both concepts must be implemented properly in any software system to ensure secure and controlled access to sensitive data and resources.
What is object level Authorization?
Object level authorization is an access control mechanism that is usually implemented at the code level to validate that one user can only access objects that they should have access to.
Every API endpoint that receives an ID of an object, and performs any type of action on the object, should implement object level authorization checks. The checks should validate that the logged-in user does have access to perform the requested action on the requested object.
Failures in this mechanism typically leads to unauthorized information disclosure, modification, or destruction of all data.
What is broken object level Authorization?
API1:2023 - Broken Object-Level Authorization is a security vulnerability that exists when the access controls or authorization mechanisms in an API system are insufficient. It occurs when an attacker can read, modify, or delete data that belongs to other users or customers by manipulating the object level access controls in the API.
In simpler terms, this means that an attacker can bypass the authorization checks implemented in the API and gain unauthorized access to sensitive data or resources. For example, if a user is only supposed to be able to read their own account information but can, in fact, access information belonging to other users, it is a case of Broken Object Level Authorization vulnerability.
This vulnerability can arise due to several reasons such as weak access controls, improper implementation of authentication mechanisms, incorrect mapping between authenticated users and authorized objects, lack of data validation, and more.
API providers must follow proper authorization techniques via the use of access control mechanisms. This will help ensure that each user can only access their own data and perform authorized actions within their designated scope. Ensuring proper access controls at the object level is essential to prevent unauthorized access, modification or deletion of sensitive data.
To counter this vulnerability, it is important to ensure that proper segmentation of the data is in place by implementing a robust authorization system. Additionally, it is essential to maintain a secure audit trail of all read, modify, and delete operations on privileged data, so that each action taken can be traced back to its source. Regular security audits and testing must also be conducted to identify any vulnerabilities and mitigate them.
How to prevent broken object-level authorization?
Implement a proper authorization mechanism that relies on the user policies and hierarchy.
Use the authorization mechanism to check if the logged-in user has access to perform the requested action on the record in every function that uses an input from the client to access a record in the database.
Prefer the use of random and unpredictable values as GUIDs for records' IDs.
Write tests to evaluate the vulnerability of the authorization mechanism. Do not deploy changes that make the tests fail.