tag: AuthZ

Broken Object Level Authorization is the number one in OWASP’s API security top 10. APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user. What is Authorization? Decide if an action can be taken. Can Alice view document #123? Can Alice view document #123 at 16:30 on Tuesday, 11 June, 2024? Can Bob edit document #123 in China? Can Bob edit document #123 in China, when authenticated with MFA? Can a manager create document #456 We can always identify the following: ...

Broken Object Level Authorization is the number one in OWASP’s API security top 10. APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user. What is Authorization? Decide if an action can be taken. Can Alice view document #123? Can Alice view document #123 at 16:30 on Tuesday, 11 June, 2024? Can Bob edit document #123 in China? Can Bob edit document #123 in China, when authenticated with MFA? Can a manager create document #456 We can always identify the following: ...