The Open Web Application Security Project (OWASP) has identified Broken Object Level Authorization (BOLA), also known as Insecure Direct Object References (IDOR), as the most common and severe security vulnerability in today’s APIs. BOLA occurs when an authenticated user successfully accesses unauthorized objects by embedding object identifiers belonging to other users. This is due to the lack of proper permissions and authorization checks that link users making the requests to the object identifiers present in the requests.
To reduce the prevalence of BOLA in today’s APIs, two approaches were presented: software-based approach and a design-based approach.
For the software-based approach (i.e., APIs are developed using code), an authorization module has been proposed. This module can be imported as a package into any API software code. The purpose of this module is to enforce Role-Based Access Control (RBAC) at the object-level, thus encouraging developers to adopt object-level security checks by providing an “off-the-shelf” solution.
For the design-based approach (i.e., APIs are designed using OpenAPI specification), the OpenAPI specification has been modified to include object-level security declaratives. The output is a modified version of the original OpenAPI specification that recognizes objects (object-aware) and implements object-level authorization. The modified OpenAPI specification provides the developer with a sample schema or template for implementing object-level authorization.
Whether developers choose a software–based approach or a design-based approach for implementing and securing APIs, a generator that works in a bi-directional manner has been developed to enable the generation of specification from code or code from specification while recognizing the additional modules and designs (related to object-level authorization) that has been incorporated.
This research work has been presented at the API Specifications Conference 2022 (organized by the OpenAPI Initiative) in the USA (Sept. 19 – 21, 2022). The full presentation can be found in the following link.