🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Broken Object Property Level Authorization

Broken Object Property Level Authorization occurs when APIs fail to enforce access controls on individual object properties, allowing attackers to read or modify fields they should not have access to, even if overall object access is restricted.

Remediation

  • Enforce fine-grained, server-side authorization for each object property based on the authenticated user's permissions.
  • Validate and filter request payloads to ensure users cannot modify restricted fields.
  • Ensure responses only include properties the requesting user is authorized to view.

Metadata

  • Severity: medium
  • Slug: broken-object-property-level-authorization

CWEs

  • 639: Authorization Bypass Through User-Controlled Key
  • 284: Improper Access Control
  • 285: Improper Authorization

OWASP

  • API1:2023: Broken Object Level Authorization
  • API3:2019: Excessive Data Exposure

Available Labs

Select a language to explore available labs for this vulnerability.

No matching labs found

Try adjusting your language filter.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.