The OWASP API Top 10: An Overview for Technology Professionals

Cyber Expertise
Written By Charles Adams

APIs are essential in modern application development, but they can also introduce critical security vulnerabilities if not properly managed. One of the most prevalent issues we encounter in API security assessments at Exploit Strike is Broken Object Level Authorization, which allows unauthorized users to access data they should not have permission to view. In this article, we will provide a specific example of this vulnerability, explain the associated risks, and demonstrate how to fix it effectively.

Vulnerable Example: Broken Object Level Authorization

In this example, the API allows a user to fetch their account information based on the account ID. However, the API does not verify if the user actually owns the account they're trying to access. 

// Vulnerable API route app.get('/api/accounts/:accountId', (req, res) => { const accountId = req.params.accountId;

// Fetch account information without validating ownership
    db.query('SELECT * FROM accounts WHERE id = ?', [accountId], (error, results) => {
        if (error) {
            return res.status(500).json({ message: 'Database error' });
        }
        res.status(200).json(results);
    });
});

In this example, an attacker could manipulate the accountId parameter and access the data of other users by entering different accountId values in the URL, for example, /api/accounts/12345.

Fix: Implement Proper Authorization Checks

To fix this, the API needs to verify that the user making the request is authorized to access the account they're requesting. This can be done by ensuring the user’s session or token matches the owner of the account.

// Secure API route with authorization check
app.get('/api/accounts/:accountId', (req, res) => {
    const accountId = req.params.accountId;
    const userId = req.user.id;  // Assuming req.user contains authenticated user info

    // Fetch account information only if the account belongs to the authenticated user
    db.query('SELECT * FROM accounts WHERE id = ? AND userId = ?', [accountId, userId], (error, results) => {
        if (error) {
            return res.status(500).json({ message: 'Database error' });
        }
        if (results.length === 0) {
            return res.status(403).json({ message: 'Unauthorized access' });
        }
        res.status(200).json(results);
    });
});

Conclusion

Addressing vulnerabilities like Broken Object Level Authorization is crucial for maintaining secure APIs. Properly verifying user permissions before granting access to resources helps prevent unauthorized data exposure. By implementing correct authorization checks, developers can significantly reduce the risk of data breaches. Security issues like this one can be avoided with attention to detail and proactive security practices in API development.

Charles Adams
Previous

Post-Penetration Testing Excellence
Next

2025 Mid-Atlantic Cyber Coast Conferences