Understanding and Testing for API3:2023 — Broken Object Property Level Authorization

Introduction

APIs are essential components in modern applications, enabling data exchange and communication between different services. With the increasing reliance on APIs, security vulnerabilities have become a significant concern. One such critical vulnerability identified in the OWASP API Security Top 10 for 2023 is API3:2023 — Broken Object Property Level Authorization.

This article provides a technical overview of Broken Object Property Level Authorization, methods to test for it, and strategies to integrate its detection into your bug bounty methodology.

What is Broken Object Property Level Authorization?

Broken Object Property Level Authorization occurs when an API fails to enforce proper authorization checks at the individual object property level. This vulnerability allows unauthorized users to access or modify properties of data objects that they should not have access to. It is a combination of two issues from the 2019 OWASP API Security Top 10:

• API3:2019 Excessive Data Exposure: APIs exposing more data than necessary without proper filtering.
• API6:2019 Mass Assignment: APIs blindly accepting user input and mapping it to internal object properties without proper validation.

Key Characteristics:

• Lack of Fine-Grained…