Broken Object Level Authorization Analyzer
Configuration Name: BrokenObjectLevelAuth
Description
Object level authorization is an access control mechanism that is usually implemented in the application logic (at the code level) to control which users may perform actions on a particular object (identified by some unique identifier).
Broken Object Level Authorization (BOLA) or Insecure Direct Object Reference (IDOR) refers to improper implementation of the access control mechanism, in which case an API client may access information which it is not authorized to access. Failures in this mechanism typically leads to unauthorized information disclosure, modification, or destruction of all data. OWASP classifies Broken Object Level Authorization as the #1 Security Vulnerability in its API Security Top 10 (API1:2019).
The BrokenObjectLevelAuth analyzer validates two kinds of object-level authorization.
- If an object can be accessed using authorization and without authorization, then a finding will be reported.
- If an object can be created by one user and accessed by a different user, then a finding will be reported (principle of least privilege).
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-639 | Authorization Bypass Through User-Controlled Key | An application's authorization functionality does not prevent a client from performing actions on an object that the client is not authorized to access. | Review the implementation of access control in the application. | high, medium |