API1 2019 Broken Object Level Authorization
API1 2019 Broken Object Level Authorization
Introduction
API1:2019 Broken Object Level Authorization
Threat agents/Attack
Security Weakness Impacts
vectors
API Specific : Exploitability
Prevalence 3 : Detectability 2 Technical 3 : Business Specific
3
Untitled
A broken Object issue occurs when the server does not properly check if the currently
logged in user or if a logged out user can read, update or delete an object to which they
do not have the rights.
Based on user ID
Sometimes a userID is passed on to the server, this can happen when we request all
the resources for a certain user for example:
https://google.com/get_users_search_history?userID=1234
If we replace the userID with someone else's userID, we should not be able to get the
search history of other users but when a Broken Object Level Authorization issue
arises, we can view the search history of other users.
This issue is simple to solve as a developer. We simply need to check if the currently
logged in user is allowed to access those objects. In this example we need to check if
the userID from the GET parameter is the same as the userID of the object's owner.
Psuedo code:
This is the safest way to handle the exception, DO NOT USE THE FOLLOWING CODE AS IT IS NOT
SAFE:
The data does not get rendered because of the redirect but a simple push of the back butto
n can still enable the data to be displayed
Example of an attack
Whatever type we are dealing with, some properties are the same across both.
These issues can arise more easily in two situations but of course they can arise any
time that a developer forgets to add authorisation. We will zoom into two examples:
For example if you build a function to add products but users should only be
able to edit their own products. We have 3 calls we can make to a product:
OPTIONS
These calls are secure and users can only execute them for their own objects
The problem is that the developers forgot to check if the user is allowed to write
to that product with id=1 and the attacker can overwrite product details of
products that do not belong to them
POST /import.php?
StartUpdateData()
In this pseudo code example we can see the described vulnerability in action
For example we are building a function to update the prices of our products
based on the products of our supplier every 10 minutes if a user is using the
website but we are only allowed to update the prices of our own products. A call
might get implemented that checks the prices in the background. An attacker
can abuse this call to check the prices if they simply replace the objectID but it
goes unnoticed because the call happens in the background.
TimerForProducts(){
wait(24H)
UpdatePrices($_GET[UsersProducts[])
}
UpdatePrices(products[]){
for each product in products{
getPrice()
}
}
GET /updatePrices?UsersProducts=1,2,3,4
Replace every objectID that we encounter with one that we are not authorised for
and see if we can execute the call succesfully
Replace our authentication token with the token from another user and browse our
own objects. The advantage of doing this we can automate this approach, it's really
hard to automate replacing every objectID because it can be named differently (i.e.
adressID, productID,...) but the authorisation header is always the same.
Whatever approach we decide to take, it is vital that we check all objects and that we
check them for read, update and delete actions. We need to check every functionality
that has access to these objects, even if it's via a secondary route (example importing
products instead of adding them manually).
Prevention
We can form some general tips for preventing Broken Object Level Authorization
defects. These will help prevent the vulnerability or will lower the impact if one occurs.
Instead of sending the userID as a parameter, we should use an auth token such as
JWT and extract the userID from there
We should always use GUIDs as id's, these are long and random strings of
numbers and letters that make it a lot harder to guess other users' identifiers
Create a centralised authorisation solution that you can re-use for every sensitive
object. This will prevent your code from becoming a mess of different authorisation
mechanisms
We need to make sure that tests are in place to ensure the existing authorisation
mechanisms keep functioning as intended
Conclusion
Broken Object Level Authorization defects are becoming ever more prevelent as
functionalities of applications increase and more and more API's are built. This requires
more and more ethical hackers as it can be a severe vulnerability and it can be very
easy to notice, all someone has to do is replace a number in a request if the server has
not been configured properly.
Every endpoint that handles objects and receives and ID should properly enfore Object
Level Authorization. The Object Level Authorization should check that the user who is
trying to read or manipulate an object has the correct authorisation for it.
It is really important to have proper authorization checks are in place and we should
always stop users from performing actions on objects they are not allowed to perform.