zacheller
diff --git a/‎2023/en/src/0xa1-broken-object-level-authorization.md
Lines changed: 108 additions & 0 deletions b/‎2023/en/src/0xa1-broken-object-level-authorization.md
Lines changed: 108 additions & 0 deletions
diff --git a/‎2023/en/src/0xa2-broken-authentication.md
Lines changed: 134 additions & 0 deletions b/‎2023/en/src/0xa2-broken-authentication.md
Lines changed: 134 additions & 0 deletions
diff --git a/‎2023/en/src/0xa3-broken-object-property-level-authorization.md
Lines changed: 139 additions & 0 deletions b/‎2023/en/src/0xa3-broken-object-property-level-authorization.md
Lines changed: 139 additions & 0 deletions
@@ -0,0 +1,108 @@
+API1:2023 Broken Object Level Authorization
+===========================================
+
+| Threat agents/Attack vectors | Security Weakness | Impacts |
+| - | - | - |
+| API Specific : Exploitability **3** | Prevalence **3** : Detectability **2** | Technical **3** : Business Specific |
+| Attackers can exploit API endpoints that are vulnerable to broken object level authorization by manipulating the ID of an object that is sent within the request. This can lead to unauthorized access to sensitive data. This issue is extremely common in API-based applications because the server component usually does not fully track the client's state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access. | This has been the most common and impactful attack on APIs. Authorization and access control mechanisms in modern applications are complex and widespread. Even if the application implements a proper infrastructure for authorization checks, developers might forget to use these checks before accessing a sensitive object. Access control detection is not typically amenable to automated static or dynamic testing. | Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access to objects can also lead to full account takeover. |
+
+## Is the API Vulnerable?
+
+Object level authorization is an access control mechanism that is usually
+implemented at the code level to validate that a user can only access the
+objects that they should have permissions to access.
+
+Every API endpoint that receives an ID of an object, and performs any action
+on the object, should implement object-level authorization checks. The checks
+should validate that the logged-in user has permissions to perform the
+requested action on the requested object.
+
+Failures in this mechanism typically lead to unauthorized information
+disclosure, modification, or destruction of all data.
+
+Comparing the user ID of the current session (e.g. by extracting it from the
+JWT token) with the vulnerable ID parameter isn't a sufficient solution to
+solve BOLA. This approach could address only a small subset of cases.
+
+In the case of BOLA, it's by design that the user will have access to the
+vulnerable API endpoint/function. The violation happens at the object level,
+by manipulating the ID. If an attacker manages to access an API
+endpoint/function they should not have access to - this is a case of BFLA
+rather than BOLA.
+
+## Example Attack Scenarios
+
+### Scenario #1
+
+An e-commerce platform for online stores (shops) provides a listing page with
+the revenue charts for their hosted shops. Inspecting the browser requests, an
+attacker can identify the API endpoints used as a data source for those charts
+and their pattern `/shops/{shopName}/revenue_data.json`. Using another API
+endpoint, the attacker can get the list of all hosted shop names. With a
+simple script to manipulate the names in the list, replacing `{shopName}` in
+the URL, the attacker gains access to the sales data of thousands of e-commerce
+stores.
+
+### Scenario #2
+
+An automobile manufacturer has enabled remote control of its vehicles via a
+mobile API for communication with the driver's mobile phone. The API enables
+the driver to remotely start and stop the engine and lock and unlock the doors.
+As part of this flow, the user sends the Vehicle Identification Number (VIN) to
+the API.
+The API fails to validate that the VIN represents a vehicle that belongs to the
+logged in user, which leads to a BOLA vulnerability. An attacker can access
+vehicles that don't belong to them.
+
+### Scenario #3
+
+An online document storage service allows users to view, edit, store and delete
+their documents. When a user's document is deleted, a GraphQL mutation with the
+document ID is sent to the API.
+
+```
+POST /graphql
+{
+  "operationName":"deleteReports",
+  "variables":{
+    "reportKeys":["<DOCUMENT_ID>"]
+  },
+  "query":"mutation deleteReports($siteId: ID!, $reportKeys: [String]!) {
+    {
+      deleteReports(reportKeys: $reportKeys)
+    }
+  }"
+}
+```
+
+Since a document ID is deleted without any further permission checks, a user
+may be able to delete another user's document.
+
+## How To Prevent
+
+* Implement a proper authorization mechanism that relies on the user policies
+  and hierarchy.
+* Use the authorization mechanism to check if the logged-in user has access to
+  perform the requested action on the record in every function that uses an
+  input from the client to access a record in the database.
+* Prefer the use of random and unpredictable values as GUIDs for records' IDs.
+* Write tests to evaluate the vulnerability of the authorization mechanism. Do
+  not deploy changes that make the tests fail.
+
+
+## References
+
+### OWASP
+
+* [Authorization Cheat Sheet][1]
+* [Authorization Testing Automation Cheat Sheet][2]
+
+### External
+
+* [CWE-285: Improper Authorization][3]
+* [CWE-639: Authorization Bypass Through User-Controlled Key][4]
+
+[1]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+[2]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Testing_Automation_Cheat_Sheet.html
+[3]: https://cwe.mitre.org/data/definitions/285.html
+[4]: https://cwe.mitre.org/data/definitions/639.html
@@ -0,0 +1,134 @@
+API2:2023 Broken Authentication
+===============================
+
+| Threat agents/Attack vectors | Security Weakness | Impacts |
+| - | - | - |
+| API Specific : Exploitability **3** | Prevalence **2** : Detectability **2** | Technical **3** : Business Specific |
+| Authentication in APIs is a complex and confusing mechanism. Software and security engineers might have misconceptions about what are the boundaries of authentication and how to implement it correctly. In addition, the authentication mechanism is an easy target for attackers, since it's exposed to everyone. These two points make the authentication component potentially vulnerable to many exploits. | There are two sub-issues: 1. Lack of protection mechanisms: API endpoints that are responsible for authentication must be treated differently from regular endpoints and implement extra layers of protection; 2. Misimplementation of the mechanism: The mechanism is used / implemented without considering the attack vectors, or for the wrong use case (e.g. an authentication mechanism designed for IoT clients might not be the right choice for web applications). | Attackers can gain control of other users' accounts in the system, read their personal data, and perform sensitive actions on their behalf, like money transactions and sending personal messages. |
+
+## Is the API Vulnerable?
+
+Authentication endpoints and flows are assets that need to be protected. Additionally, "Forgot password / reset password" should be treated the same way
+as authentication mechanisms.
+
+A public-facing API is vulnerable if it:
+
+* Permits credential stuffing where the attacker uses brute force with a list
+  of valid usernames and passwords.
+* Permits attackers to perform a brute force attack on the same user account,
+  without presenting captcha/account lockout mechanism.
+* Permits weak passwords.
+* Sends sensitive authentication details, such as auth tokens and passwords in
+  the URL.
+* Allows users to change their email address, current password, or do any other
+  sensitive operations without asking for password confirmation.
+* Doesn't validate the authenticity of tokens.
+* Accepts unsigned/weakly signed JWT tokens (`{"alg":"none"}`)
+* Doesn't validate the JWT expiration date.
+* Uses plain text, non-encrypted, or weakly hashed passwords.
+* Uses weak encryption keys.
+
+On top of that, a microservice is vulnerable if:
+
+* Other microservices can access it without authentication
+* Uses weak or predictable tokens to enforce authentication
+
+## Example Attack Scenarios
+
+## Scenario #1
+
+In order to perform user authentication the client has to issue an API request
+like the one below with the user credentials:
+
+```
+POST /graphql
+{
+  "query":"mutation {
+    login (username:\"<username>\",password:\"<password>\") {
+      token
+    }
+   }"
+}
+```
+
+If credentials are valid, then an auth token is returned which should be
+provided in subsequent requests to identify the user. Login attempts are
+subject to restrictive rate limiting: only three requests are allowed per
+minute.
+
+To brute force log in with a victim's account, bad actors leverage GraphQL
+query batching to bypass the request rate limiting, speeding up the attack:
+
+```
+POST /graphql
+[
+  {"query":"mutation{login(username:\"victim\",password:\"password\"){token}}"},
+  {"query":"mutation{login(username:\"victim\",password:\"123456\"){token}}"},
+  {"query":"mutation{login(username:\"victim\",password:\"qwerty\"){token}}"},
+  ...
+  {"query":"mutation{login(username:\"victim\",password:\"123\"){token}}"},
+]
+```
+
+## Scenario #2
+
+In order to update the email address associated with a user's account, clients
+should issue an API request like the one below:
+
+```
+PUT /account
+Authorization: Bearer <token>
+
+{ "email": "<new_email_address>" }
+```
+
+Because the API does not require the user to confirm their identity by
+providing their current password, bad actors are able to put themselves in a
+position to steal the auth token.They also might be able to take over the
+victim's account by starting the reset password workflow after updating the
+email address of the victim's account.
+
+## How To Prevent
+
+* Make sure you know all the possible flows to authenticate to the API
+  (mobile/ web/deep links that implement one-click authentication/etc.). Ask
+  your engineers what flows you missed.
+* Read about your authentication mechanisms. Make sure you understand what and
+  how they are used. OAuth is not authentication, and neither are API keys.
+* Don't reinvent the wheel in authentication, token generation, or password
+  storage. Use the standards.
+* Credential recovery/forgot password endpoints should be treated as login
+  endpoints in terms of brute force, rate limiting, and lockout protections.
+* Require re-authentication for sensitive operations (e.g. changing the account
+  owner email address/2FA phone number).
+* Use the [OWASP Authentication Cheatsheet][1].
+* Where possible, implement multi-factor authentication.
+* Implement anti-brute force mechanisms to mitigate credential stuffing,
+  dictionary attacks, and brute force attacks on your authentication endpoints.
+  This mechanism should be stricter than the regular rate limiting mechanisms
+  on your APIs.
+* Implement [account lockout][2]/captcha mechanisms to prevent brute force
+  attacks against specific users. Implement weak-password checks.
+* API keys should not be used for user authentication. They should only be used
+  for [API clients][3] authentication.
+
+## References
+
+### OWASP
+
+* [Authentication Cheat Sheet][1]
+* [Key Management Cheat Sheet][4]
+* [Credential Stuffing][5]
+
+### External
+
+* [CWE-204: Observable Response Discrepancy][6]
+* [CWE-307: Improper Restriction of Excessive Authentication Attempts][7]
+
+[1]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
+[2]: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism(OTG-AUTHN-003)
+[3]: https://cloud.google.com/endpoints/docs/openapi/when-why-api-key
+[4]: https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html
+[5]: https://owasp.org/www-community/attacks/Credential_stuffing
+[6]: https://cwe.mitre.org/data/definitions/204.html
+[7]: https://cwe.mitre.org/data/definitions/307.html
@@ -0,0 +1,139 @@
+API3:2023 Broken Object Property Level Authorization
+====================================================
+
+| Threat agents/Attack vectors | Security Weakness | Impacts |
+| - | - | - |
+| API Specific : Exploitability **3** | Prevalence **2** : Detectability **2** | Technical **2** : Business Specific |
+|  Attackers can exploit API endpoints that are vulnerable to broken object property level authorization by reading or changing values of object properties they are not supposed to access. | Authorization in APIs is done in layers. While developers might perform proper validations to make sure that a user has access to a function, and then to a specific object, they often don't validate if the user is allowed to access a specific property within the object. | Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. |
+
+## Is the API Vulnerable?
+
+When allowing a user to access an object using an API endpoint, it is important
+to validate that the user has access to the specific object properties they are
+trying to access.
+
+An API endpoint is vulnerable if:
+
+* The API endpoint exposes properties of an object that are considered
+  sensitive and should not be read by the user. (previously named: "[Excessive
+  Data Exposure][1]")
+* The API endpoint allows a user to change, add/or delete the value of a
+  sensitive object's property which the user should not be able to access
+  (previously named: "[Mass Assignment][2]")
+
+## Example Attack Scenarios
+
+### Scenario #1
+
+A dating app allows a user to report other users for inappropriate behavior.
+As part of this flow, the user clicks on a "report" button, and the following
+API call is triggered:
+
+```
+POST /graphql
+{
+  "operationName":"reportUser",
+  "variables":{
+    "userId": 313,
+    "reason":["offensive behavior"]
+  },
+  "query":"mutation reportUser($userId: ID!, $reason: String!) {
+    reportUser(userId: $userId, reason: $reason) {
+      status
+      message
+      reportedUser {
+        id
+        fullName
+        recentLocation
+      }
+    }
+  }"
+}
+```
+
+The API Endpoint is vulnerable since it allows the authenticated user to have
+access to sensitive (reported) user object properties, such as "fullName" and
+"recentLocation" that are not supposed to be accessed by other users.
+
+### Scenario #2
+
+An online marketplace platform, that offers one type of users ("hosts") to rent
+out their apartment to another type of users ("guests"), requires the host to
+accept a booking made by a guest, before charging the guest for the stay.
+
+As part of this flow, an API call is sent by the host to
+`POST /api/host/approve_booking` with the following legitimate payload:
+
+```
+{"approved":true,"comment":"Check-in is after 3pm"}
+```
+
+The host replays the legitimate request, and adds the following malicious
+payload:
+
+```
+{"approved":true,"comment":"Check-in is after 3pm","total_stay_price":"$1,000,000"}
+```
+
+The API endpoint is vulnerable because there is no validation that the host
+should have access to the internal object property - "total_stay_price", and
+the guest will be charged more than she was supposed to be.
+
+### Scenario #3
+
+A social network that is based on short videos, enforces restrictive content
+filtering and censorship. Even if an uploaded video is blocked, the user can
+change the description of the video using the following API request
+
+```
+PUT /api/video/update_video
+
+{"description":"a funny video about cats"}
+```
+
+A frustrated user can replay the legitimate request, and add the following
+malicious payload:
+
+```
+{"description":"a funny video about cats","blocked":false}
+```
+
+The API endpoint is vulnerable because there is no validation if the user
+should have access to the internal object property - "blocked", and the user
+can change the value from "true" to "false" and unlock their own blocked content.
+
+## How To Prevent
+
+* When exposing an object using an API endpoint, always make sure that the user
+  should have access to the object's properties you expose.
+* Avoid using generic methods such as to_json() and to_string(). Instead,
+  cherry-pick specific object properties you specifically want to return.
+* If possible, avoid using functions that automatically bind a client's input
+  into code variables, internal objects, or object properties
+  ("Mass Assignment").
+* Allow changes only to the object's properties that should be updated by the
+  client.
+* Implement a schema-based response validation mechanism as an extra layer of
+  security. As part of this mechanism, define and enforce data returned by all
+  API methods.
+* Keep returned data structures to the bare minimum, according to the
+  business/functional requirements for the endpoint.
+
+## References
+
+### OWASP
+
+* [API3:2019 Excessive Data Exposure - OWASP API Security Top 10 2019][1]
+* [API6:2019 - Mass Assignment - OWASP API Security Top 10 2019][2]
+* [Mass Assignment Cheat Sheet][3]
+
+### External
+
+* [CWE-213: Exposure of Sensitive Information Due to Incompatible Policies][4]
+* [CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes][5]
+
+[1]: https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa3-excessive-data-exposure.md
+[2]: https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md
+[3]: https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html
+[4]: https://cwe.mitre.org/data/definitions/213.html
+[5]: https://cwe.mitre.org/data/definitions/915.html