保護DataHogo
Security Encyclopedia/OWASP API Top 10
mediumCWE-915API3:2023

Broken Object Property Level Authorization

API allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.

How It Works

This vulnerability combines two issues: mass assignment (user can set properties like role or isAdmin by including them in the request body) and excessive data exposure (API returns more fields than the client needs, including sensitive internal data). When an API blindly accepts all fields from the request body and saves them to the database, or returns full database objects without filtering, it creates serious security holes.

Vulnerable Code
// Mass assignment — accepts any field
app.put('/api/profile', auth, async (req, res) => {
  await User.updateOne(
    { _id: req.user.id },
    { $set: req.body } // Accepts role, isAdmin, etc!
  );
});
Secure Code
// Whitelist allowed fields
app.put('/api/profile', auth, async (req, res) => {
  const { name, email, avatar } = req.body;
  await User.updateOne(
    { _id: req.user.id },
    { $set: { name, email, avatar } }
  );
});

Real-World Example

In 2012, a mass assignment vulnerability in GitHub allowed a user to add their SSH key to any organization's repository by including the organization ID in the request body. The vulnerability was discovered by a security researcher who added his key to the Rails repository.

How to Prevent It

  • Never pass req.body directly to database operations
  • Whitelist allowed fields for each endpoint
  • Use DTOs or Zod schemas to validate and filter input
  • Return only necessary fields in API responses

Affected Technologies

Node.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Object Level Authorization (BOLA)

high

API endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.

CWE-639API1:2023

Broken Authentication (API)

high

API authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.

CWE-287API2:2023

Unrestricted Resource Consumption

medium

API endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.

CWE-770API4:2023

Broken Function Level Authorization

high

Admin or privileged API endpoints accessible to regular users — missing role checks allow privilege escalation to administrative functions.

CWE-285API5:2023