Broken Object Level Authorization is the number one in OWASP’s API security top 10.
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.
What is Authorization? Decide if an action can be taken.
Can Alice view document #123? Can Alice view document #123 at 16:30 on Tuesday, 11 June, 2024? Can Bob edit document #123 in China? Can Bob edit document #123 in China, when authenticated with MFA? Can a manager create document #456 We can always identify the following:
...
Broken Object Level Authorization is the number one in OWASP’s API security top 10.
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.
What is Authorization? Decide if an action can be taken.
Can Alice view document #123? Can Alice view document #123 at 16:30 on Tuesday, 11 June, 2024? Can Bob edit document #123 in China? Can Bob edit document #123 in China, when authenticated with MFA? Can a manager create document #456 We can always identify the following:
...
In the classic XCAML based fine grained authorization ([[fga]]) architecture, the Policy Decision Point or PDP is responsible for deciding weather a subject such as a user is allowed to do an action on a specific resource.
But in many real world architecture this pattern is difficult to apply. Let’s look the following simple example. We want to built an application that shows a simple list of all documents a user has access to.
...