API3:2023 represents a nuanced security challenge where improper or absent authorisation checks allow attackers to access or manipulate sensitive properties of an object within an API. Unlike broader access control issues, this risk focuses specifically on granular authorisation, which determines the visibility or modifiability of individual object properties.
Authentication is the process of verifying a user’s identity before granting access to resources. In APIs, authentication mechanisms ensure that only authorised clients or users can interact with the system. Broken authentication compromises this trust, potentially leading to data breaches, identity theft, or unauthorised access to sensitive information. As APIs often handle vast amounts of personal and corporate data, even minor authentication flaws can have catastrophic consequences for businesses.
Broken authentication manifests in various forms, each posing unique challenges to developers and penetration testers.
Broken Object Level Authorisation (BOLA) arises when APIs expose endpoints handling object identifiers without adequate access control measures. This vulnerability allows attackers to manipulate object IDs to gain unauthorised access to data.