Security Test: Broken Object Level Authorization¶
Description¶
Default Severity:
Broken Object Level Authorization happens when an app lets users access objects by simply changing an identifier like a number or key without checking if they should really see that object. This might let an attacker look at or modify someone else’s data. Developers often assume that passing an object reference is safe, and that weak security controls don’t need to check if the requester owns that data. The danger is that if such basic checks are missing, critical information can be exposed or altered, leading to potential breaches or loss of trust in the application.
Configuration¶
Identifier:
access_control/bola
Examples¶
All configuration available:
checks:
access_control/bola:
skip: false # default
options:
threshold_enum: 0.6 # default
threshold_res: 0.8 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold_enum | number | 0.6 | Rate of iterable values of a field to be considered iterable. |
threshold_res | number | 0.8 | Rate of correct responses to an argument being enumerated to raise an alert. |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API1:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.8 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.9.4 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 863 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |