Eve can access Alice’s documents by changing an identifier, like a document REST parameter, due to the web application’s failure to enforce object-level authorization, allowing attackers to test and access other data.
$id = getInputFromUser(); $doc = getDocument($id); return $doc; |
The code above requests input from the user without any validation or sanitization, directly using the input in the getDocument function to retrieve the document. A more secure implementation would involve checking the user’s privileges before performing the lookup:
$id = getInputFromUser(); $user = findUsername(); $doc = “”; if (hasAccessToDocument($user, $id)) { $doc = getDocument($id); } else { $doc = “Not authorized for this document”; } return $doc; |
Vulnerabilities of this nature are easily exploited by simply modifying a number to access another user’s data. Implementing authorization checks beforehand can effectively prevent this issue.