Broken Object Level Authorization

Broken Object Level Authorization

By Rohit Gautam
Broken Object Level Authorization

Summary: Broken Object Level Authorization is a critical web security vulnerability that occurs when an application fails to properly restrict user access to specific objects or resources. Exploiting this vulnerability allows attackers to access sensitive data, perform unauthorized actions, or modify critical objects within the application.

Severity: High

Attack Vector: Remote

Complexity: Low

Impact: By exploiting Broken Object Level Authorization, an attacker can access sensitive data, perform unauthorized actions, modify or delete critical objects, or escalate privileges within the application.

Affected IP Address:

Port: 443

Steps to Reproduce:

1. Identify the target system vulnerable to Broken Object Level Authorization.
2. Analyze the application's functionalities to identify object-level operations that should be restricted based on user privileges.
3. Manipulate object references or parameters to access unauthorized resources or perform unauthorized actions.
4. Submit the manipulated requests and observe the application's response for successful access or unauthorized actions.
5. Verify the impact by confirming the access to sensitive data or the ability to perform unauthorized actions on critical objects.


To mitigate Broken Object Level Authorization vulnerabilities, it is recommended to implement the following measures:
1. Implement proper authorization controls at the object level, ensuring that users can only access and manipulate objects they are authorized to.
2. Perform access control checks on both the client and server sides to prevent unauthorized access to resources.
3. Utilize a centralized and consistent authorization mechanism that enforces fine-grained controls on object-level operations.
4. Regularly review and test the application's authorization implementation to identify and address any potential vulnerabilities.
5. Employ the principle of least privilege, granting users only the necessary permissions to perform their intended actions.


1. OWASP - Broken Object Level Authorization: 
2. PortSwigger - Broken Object Level Authorization:

Proof of Concept:

Please refer to the attached screenshot or video for a visual demonstration of a Broken Object Level Authorization vulnerability.