Introduction to API1:2019 Broken Object Level Authorization
Broken Object Level Authorization, listed as API1:2019 in the OWASP API Security Top 10, occurs when an API fails to properly verify that a user is authorized to access or manipulate a specific object. This allows attackers to exploit endpoints by guessing or tampering with object identifiers like user IDs or resource IDs in the request. If proper access checks are missing, an attacker could view or modify another user’s data. This vulnerability is common in APIs that expose object references directly. Preventing it requires strict, user-specific access control checks on every data-accessing API call.
