Broken Object Level Authorization

GPTKB entity

Statements (25)
Predicate Object
gptkbp:instanceOf gptkb:security
gptkbp:alsoKnownAs gptkb:BOLA
gptkbp:category Access Control Vulnerability
gptkbp:cause Missing or improper authorization checks
gptkbp:commonIn gptkb:REST_APIs
gptkb:GraphQL_APIs
Web applications
gptkbp:describedBy gptkb:OWASP_Top_10
gptkbp:example User can access another user's data by modifying object ID in request
gptkbp:firstDescribed gptkb:OWASP
https://www.w3.org/2000/01/rdf-schema#label Broken Object Level Authorization
gptkbp:impact Data breach
Loss of confidentiality
Regulatory non-compliance
gptkbp:mitigatedBy Implement proper authorization checks
Do not rely solely on user input for object references
Use object-level access control
gptkbp:owaspTop10Category A1:2021 - Broken Access Control
gptkbp:relatedTo Insecure Direct Object Reference
gptkbp:riskFactor Privilege escalation
Data leakage
Unauthorized access to data
gptkbp:testedBy Tamper with object identifiers in API requests
gptkbp:bfsParent gptkb:OWASP_API_Security_Top_10
gptkbp:bfsLayer 7