-| Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request. Object IDs can be anything from sequential integers, UUIDs, or generic strings. Regardless the data type, they are easy to identify in the request target (path or query string parameters), requests headers, or even as part of the request payload. | This issue is extremely common in API-based applications because the server component usually does not fully track the client's state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access. In most cases threat agents have full control over the request data, including object IDs. The server response is enough to understand whether the request was successful. | Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Under certain circumstances, unauthorized access to objects can also lead to full account takeover. |
0 commit comments