Introduction to API01: Broken Object Level Authorization
Broken Object Level Authorization occurs when an API exposes endpoints that handle object identifiers (like user IDs or resource IDs) but fails to properly verify whether the requester has access rights to the object. This allows attackers to manipulate object IDs in the URL or request body to gain unauthorized access to data. It's a common and critical issue in APIs, especially those exposing many endpoints and resources. The solution is to enforce authorization checks at the object level for every access attempt, regardless of whether the request is from a trusted user, device, or internal system.
