OWASP Tactical Access Defense Series: Broken Object Property Level Authorization and BIG-IP APM

AUTHOR NOTE: Unauthorized access to private/sensitive object properties may result in data disclosure, data loss, or data corruption. Under certain circumstances, unauthorized access to object properties can lead to privilege escalation or partial/full account takeover.

In this article we are going through API3 item from OWASP top 10 API Security risks exploring BIG-IP Access Policy Manager (APM) role in our arsenal. 

Identifying Vulnerable APIs

In order to identify the API endpoint is vulnerable to Broken Object Property Level Authorization, 

  • Sensitive properties exposure of certain object for non-intended user (Excessive Data Exposure).
    import requests
    # Assuming the API endpoint for retrieving user data is /api/users
    api_endpoint = "https://example.com/api/users"
    # Sending a GET request to the API endpoint
    response = requests.get(api_endpoint)
    # Checking if the request was successful (status code 200)
    if response.status_code == 200:
        # Printing the response content (which could contain excessive data)
        print("Failed to retrieve data from the API")
  • API allow to change, add or delete sensitive object property for non-intended user (Mass assignment).
import requests

# Assuming the API endpoint for updating user information is /api/users
api_endpoint = "https://example.com/api/users"

# Malicious payload containing additional fields
malicious_payload = {
    "username": "malicious_user",
    "password": "password123",
    "isAdmin": True  # Malicious user attempts to elevate privileges

# Sending a POST request with the malicious payload
response = requests.post(api_endpoint, json=malicious_payload)

# Checking if the request was successful (status code 200)
if response.status_code == 200:
    print("User information updated successfully")
    print("Failed to update user information")

Object Property Level Authorization involves controlling access to specific properties or attributes of an object within a system. Instead of granting blanket access to an entire object, this approach enables fine-grained control, allowing administrators to restrict or permit access to individual properties based on user roles or permissions.

While implementing protection against such security risk involves different aspects, one is making sure the user is authorized to access object property, and here BIG-IP APM plays crucial role. 

Mitigating Risks with BIG-IP APM

BIG-IP APM per-request granularity. With per-request granularity, organizations can dynamically enforce access policies based on various factors such as user identity, device characteristics, and contextual information. This enables organizations to implement fine-grained access controls at the API level, mitigating the risks associated with Broken Object Property Level Authorization.

 Key Features:

  1. Dynamic Access Control Policies: BIG-IP APM empowers organizations to define dynamic access control policies that adapt to changing conditions in real-time. By evaluating each API request against these policies, BIG-IP APM ensures that only authorized users can access specific resources and perform permitted actions.

  2. Granular Authorization Rules: BIG-IP APM enables organizations to define granular authorization rules that govern access to individual objects or resources within the API ecosystem. By enforcing strict authorization checks at the object level, F5 APM prevents unauthorized users from tampering with sensitive data or performing unauthorized actions.


In conclusion, BIG-IP APM per-request granularity is a powerful tool for defending against Broken Object-Level Authorization vulnerabilities in APIs. By enforcing fine-grained access controls at the API level, organizations can mitigate the risks associated with unauthorized access to sensitive data. Additionally, proactive security assessments and vulnerability scans are essential for identifying and addressing vulnerabilities in APIs, thereby strengthening overall security posture in the digital ecosystem.


Related Content 

Updated Apr 12, 2024
Version 2.0

Was this article helpful?

No CommentsBe the first to comment