chore(API3:2023): Review heading table contents

Author: PauloASilva

2023/en/src/0xa3-broken-object-property-level-authorization.md

@@ -4,7 +4,7 @@ API3:2023 Broken Object Property Level Authorization
 | Threat agents/Attack vectors | Security Weakness | Impacts |
 | - | - | - |
 | API Specific : Exploitability **3** | Prevalence **2** : Detectability **2** | Technical **2** : Business Specific |
-|  Attackers can exploit API endpoints that are vulnerable to broken object property level authorization by reading or changing values of object properties they are not supposed to access. | Authorization in APIs is done in layers. While developers might perform proper validations to make sure that a user has access to a function, and then to a specific object, they often don't validate if the user is allowed to access a specific property within the object. | Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. |
+| Regular API requests to existing endpoints aimed to return objects are usually enough to get access to all object properties. This is particularly valid for REST APIs. For other protocols such as GraphQL, it may required crafted requests to specify what properties should be returned. Identifying additional properties that can be manipulated requires more effort but there are a few automated tools available to assist in this task. | Relying on the API client to filter response data is more common than allowing users to manipulate object's properties which they're not supposed to. Inspecting API responses is enough to identify sensitive information in returned objects' representations. Fuzzing is usually used to identify additional (hidden) properties. Whether they can be changed is a matter of crafting API request and perform API response analysis. Side-effect analysis may be required if target property is not returned in the API response. | Unauthorized access to object properties not meant to be manipulated by users/API clients can result in data disclosure, data loss, or data corruption. Under certain circumstances, unauthorized access to object properties can lead to privileges escalation or even full account takeover. |
 
 ## Is the API Vulnerable?