Introduction to API03:2023 Broken Object Property Level Authorization
Broken Object Property Level Authorization happens when an API correctly restricts access to an object but fails to control access to specific properties within that object. For example, a user might be allowed to view their profile but shouldn't be able to change roles or access admin-only fields. If the API doesn't enforce fine-grained authorization checks on each property, attackers can manipulate requests to read or modify sensitive data. This often occurs in PUT or PATCH requests. The fix is to apply authorization at both the object and property levels, ensuring only permitted fields are exposed or modifiable per user role.
