OWASP API security – 1: Broken object level authorization

Broken Object Level Authorization (BOLA) is considered the most significant security threat to APIs, as outlined by OWASP, due to the common practice of using object identifiers in API endpoints without proper authorization checks. This vulnerability allows malicious actors to alter object IDs within requests to gain unauthorized access to data. Effective countermeasures include implementing object-level authorization checks and using globally unique identifiers (GUIDs) instead of integers to make it harder for attackers to guess object IDs. However, GUIDs alone do not solve the authorization issue and should be considered a complementary practice. API Management (APIM) faces challenges in addressing BOLA, as API Gateways typically lack the necessary data for making authorization decisions, often stored in backend databases. To mitigate BOLA, solutions include direct integration with backend systems, leveraging identity providers like Keycloak, and utilizing policy engines such as Open Policy Agent (OPA). These approaches require significant configuration and integration efforts, and it is generally best practice to conduct object-level authorization within the backend application itself. GraphQL APIs introduce additional challenges by allowing clients to specify fields in API responses, potentially exposing sensitive data without proper authorization, referred to as Broken Field Level Authorization. Tyk can implement object-level authorization using direct integration and identity providers while offering field-based permissions to mitigate GraphQL vulnerabilities.