LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is API3 Broken Object Property Level Authorization?

Authorization is checked for the whole object but not for individual fields — so a user can read or change a property they shouldn't, like GET /users/me returning everyone's isAdmin flag, or a PATCH letting a customer set their own accountBalance.

This is field-level authorization, a finer-grained cousin of API1. The app correctly decides "you may access this object," then naively exposes or accepts all of its properties. Concrete example: a profile endpoint serializes the entire user record — including passwordResetToken or role — into the JSON response, leaking fields the client should never see. The flip side is the input direction (a client setting a field it shouldn't), which is the Mass Assignment case. Fix: explicitly choose which properties to expose and which to accept, never the whole object.

Issues:

  • Sensitive properties returned that user shouldn't see
  • Sensitive properties modifiable by unauthorized users

Countermeasures:

  • Verify access rights before exposing object properties
  • Return specific values only - not entire objects
  • Avoid direct binding from input to internal objects
  • Validate responses - ensure only permitted data returned
  • Minimize data returned - principle of least privilege

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 05, 2026