Scribd
Upload
53 views19 pages

Api 211 - Mitigating Apis Broken Object Level Authorization: Page 1 of 19

This document provides an overview of object level authorization for APIs and discusses common vulnerabilities like direct object references, parameter tampering, path traversal, and object enumeration. The objectives of the course are to help developers identify and resolve object authorization issues in APIs, mitigate common attacks, and apply best practices. Some examples are provided to illustrate how parameters could be tampered with to access unauthorized data through APIs.

Uploaded by

dj_borse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views19 pages

Api 211 - Mitigating Apis Broken Object Level Authorization: Page 1 of 19

This document provides an overview of object level authorization for APIs and discusses common vulnerabilities like direct object references, parameter tampering, path traversal, and object enumeration. The objectives of the course are to help developers identify and resolve object authorization issues in APIs, mitigate common attacks, and apply best practices. Some examples are provided to illustrate how parameters could be tampered with to access unauthorized data through APIs.

Uploaded by

dj_borse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

API 211 – Mitigating APIs Broken Object Level Authorization

Table of Contents
Course Overview and Objectives ............................................................................................................................... 3
Object Level Authorization .......................................................................................................................................... 5
Direct Object Reference Example .............................................................................................................................. 7
Parameter Tampering ................................................................................................................................................... 9
Parameter Tampering Example ................................................................................................................................ 10
Path Traversal ................................................................................................................................................................. 11
Object Enumeration..................................................................................................................................................... 12
Best Practices ................................................................................................................................................................ 14
Knowledge Check......................................................................................................................................................... 16
Course Summary .......................................................................................................................................................... 18
Thank You ...................................................................................................................................................................... 19

Page 1 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Narration

On screen text

API 211
Mitigating APIs Broken Object Level Authorization

Page 2 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Course Overview and Objectives

Narration
This course is designed for NICE Workforce roles Software Developer (SP-DEV-001) and Secure Software
Assessor (SP-DEV-002). The objectives of this course align with OWASP API Security Top 10 and the
NIST Cybersecurity Framework.
On successful completion of this course, you should have the knowledge and skills required to identify
and resolve object-level authorization issues; be aware of, and mitigate, the most common attack
methods for APIs with broken level authorization; and employ industry best practices to prevent and
mitigate broken object level authorization vulnerabilities.

On screen text

Course Overview and Objectives.

Designed for the Software Developer (SP-DEV-001) and Secure Software Assessor (SP-DEV-002)
roles.
Objectives align with OWASP API Security Top 10 and the NIST Cybersecurity Framework.

Page 3 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

On successful completion of this course, you should have the knowledge and skills required to:
• Identify and resolve object-level authorization issues
• Be aware of, and mitigate, the most common attack methods for APIs with broken level
authorization
• Employ industry best practices to prevent and mitigate broken object level authorization
vulnerabilities

Page 4 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Object Level Authorization

Narration
Broken object-level authorization is any vulnerability where an attacker can exploit API endpoints to
bypass object access control. By manipulating request parameters, one might be able to access sensitive
data or files.
A direct object reference is when an API call directly refers to an object such as a user account ID. An
insecure direct object reference is one that allows access to other objects by changing that ID.
Without proper access control, an attacker might be able to predict or guess other objects that they
may not be authorized to access.

On screen text

Object Level Authorization

By manipulating API parameters, an attacker might bypass object authorization.

/api/accounts?id=3928

Page 5 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

/api/accounts?id=1

/api/accounts?id=2

/api/accounts?id=3

/api/accounts?id=4

Page 6 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Direct Object Reference Example

Narration
To illustrate this, let’s look at an example. Here is an API request that refers to an account ID three ten,
which is the primary database key for that user’s record.
But what happens if an API user, after authenticated, were to switch the user ID? Without proper
authorization at the object level, they might be able to modify a request that results in data disclosure,
modification, or erasure.
--
An insecure direct object reference can occur anywhere an API directly references a server resource,
such as a file, directory, database record, or other application object. The problem occurs when the
software fails to check for proper authorization for every parameter. The application needs to ensure
that the user has access to all requested resources.
The most common ways to exploit direct object references are parameter tampering, path traversal, and
object enumeration.

On screen text

Direct Object Reference Example

Page 7 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Disclosure

Modification

Erasure

Parameter Tampering

Path Traversal

Object Enumeration

Page 8 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Parameter Tampering

Narration
Parameter tampering is attacking an API by manipulating request parameters. This can result in the API
receiving unexpected values and possibly allowing unauthorized access to data.
Parameter tampering might include values such as a REST path or query string parameter, POST data,
custom HTTP header, or anything else that directly accesses a resource. In some cases, a parameter
might be an application object property not intended for API access.
What’s important to remember is that the value must directly point to data, an object, or a server
resource, so modifying values such as a Host or Referer header likely will not have any effect and might
cause an API request to fail.

On screen text

Parameter Tampering

Parameter tampering attacks an API by manipulating request parameters.


REST Parameters
POST Data
HTTP Headers
The value must directly point to data, an object, or other server resource.

Page 9 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Parameter Tampering Example

Narration
Here is an example of parameter tampering, where a REST API call returns details of a customer’s
invoice.
Here there are two parameters—the account number and the invoice number. To prevent someone
from viewing an invoice from another account, the API must check that they have properly
authenticated to the indicated account and that this account has access to that invoice.
--
In this second example, a developer is using an API call to transfer money from one financial account to
another.
In this case, the API must ensure that the authenticated API user has the necessary access rights to both
the sending and recipient accounts. This not only helps avoid sending money to the wrong account but
prevents someone from modifying the sending account number to pull from another customer’s
balance.
--
This final example shows an API call that allows viewing a file. It is important, however, to ensure that
the user has access to the file specified before displaying it. Failure to do so might allow a user to
specify any file name and view that file.

Page 10 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

On screen text

Parameter Tampering Example

Path Traversal

Narration

Page 11 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Sometimes a user can bypass authorization by tricking the API into accessing an unintended file. One of
these techniques is path traversal.
With path traversal, an attacker can navigate through the file system to access files using path traversal
characters such as the double dot and slash. This is usually possible when a web application does not
validate file names or by making a function think it is accessing one file when it is in fact accessing a
completely different file.
Sometimes an attacker might use different character encodings or character equivalents to bypass
validation checks.
--
Here are some examples of path traversal attacks.

On screen text

Path Traversal

Path traversal allows an attacker to navigate through the file system to access files using path traversal
characters.

Object Enumeration

Narration

Page 12 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Object enumeration is discovering object identifiers or names using brute-force scanning of sequences,
patterns, or common object names.
If an attacker saw a URL such as this one, the first thing they might try is changing the account number
to see if they can access another user’s account. What makes this such an obvious attack is that the
account number is small enough so that it appears to be sequential. In other words, this is the two
hundred and twentieth account on the system.
It would be simple to substitute other numbers to see if it is possible to switch to another account.
While this is unlikely to succeed, any error messages returned may still be useful for an attacker. There
might also be different errors for a value that does not exist versus a file that does exist, but that you do
not have access to. This might be useful to enumerate accounts, files and directories, or other sensitive
data.

On screen text

Object Enumeration
Object enumeration discovers object identifiers or names using brute-force scanning of sequences,
patterns, or common object names.

NOT FOUND
ACCESS DENIED

Page 13 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Best Practices

Narration
Here are some best practices for avoiding broken object-level authorization:
First, simplify authorization by using distinct user roles that cover broad categories such as
administration, editing, and view only. From there you can provide more granular access for specific
user accounts.
Second, ensure that you have a proper system for authorizing API users.
Third, avoid referring to objects using identifiers that directly map to application objects. You could, for
example, build a reference table so that each file has a unique but random identifier that prevents
guessing or enumeration.
Fourth, deny access to all objects by default, allowing access only through explicitly-defined
permissions.
Fifth, validate input before performing an authorization check to block attempts at path traversal or
other exploits.
And finally, centralize all authorization code so that all object access must pass through this code before
performing any other operations.

On screen text

Page 14 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Best Practices

Best Practices

Simplify authorization with roles

Ensure proper user authentication

Avoid direct references

Deny by default

Validate input

Centralize authorization checks

Page 15 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Knowledge Check

Narration
When looking for insecure direct object access vulnerabilities in an API, which of these would be the
most likely candidates? Click on all that apply.

On screen text

Knowledge Check

When looking for insecure direct object access vulnerabilities in an API, which of these would be the
most likely candidates? Click on all that apply.

Question When looking for insecure direct object access vulnerabilities in an API, which of
these would be the most likely candidates? Click on all that apply.

Flip card option Report Name Invoice Number HTTP Post Header

Definition on A parameter that An identifier that is the The HTTP Host header of an
flip card indicates the filename primary key for an invoice. API request.

Page 16 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

of a report.

Correct Yes Yes No

Feedback Correct! Correct! Incorrect.


A report name An invoice number that is It is not likely that the HTTP
parameter such as also a primary key is a good host header will allow for
sales.pdf likely points to candidate for insecure insecure direct object
a file on the file system. direct object access. access.

Page 17 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Course Summary

Narration
In this course, you learned about mitigating API’s broken object level authorization.
Topics discussed during this course include the insecure nature of direct object references and how to
implement proper access control, common methods of attack for APIs with broken level authorization
and corresponding mitigation techniques, and industry best practices to eliminate or mitigate broken
object level authorization vulnerabilities.
On screen text
Course Summary
In this course, you learned about mitigating Identification and Authentication Failures, as designated by
OWASP standards. Included in the topics discussed:
• Targeted testing against brute force and password spraying attacks
• Various options within multifactor authentication to improve authentication security, as well as
testing methods for each type
• Testing techniques to ensure password resets, password policy, and password storage are secure
and aligned with industry best practices and standards

Page 18 of 19
API 211 – Mitigating APIs Broken Object Level Authorization

Thank You

Narration

Thank You

This concludes the Mitigating APIs Broken Object Level Authorization course. Thank you.
Click the “Take the Exam” button to proceed to the exam.

Page 19 of 19

You might also like