Authorization Bypass Through User-Controlled Key (CWE-639)

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Retrieval of a user record usually occurs in the system based on some key value. When a value that is directly specified by the user is used to look up that record, the key value can be modified to access records belonging to other users.

Verbreitung

Hoch

Häufig ausgenutzt

Auswirkung

Kritisch

1 Regeln mit kritischem Schweregrad

Prävention

Dokumentiert

8 Fix-Beispiele

2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für Authorization Bypass via User Key basierend auf 8 Shoulder-Erkennungsregeln.

🐹 Go Alle anzeigen Go Details →

Horizontal Privilege Escalation HIGH

Validate resource ownership before allowing modifications using user-supplied IDs

+8 -1 go

  func updateProfile(c *gin.Context) {
      profileID := c.Param("id")
-     db.Model(&Profile{}).Where("id = ?", profileID).Updates(data)
+     userID := c.GetString("user_id")
+     var profile Profile
+     db.First(&profile, profileID)
+     if profile.UserID != userID {
+         c.JSON(403, gin.H{"error": "unauthorized"})
+         return
+     }
+     db.Model(&profile).Updates(data)
  }

Insecure Direct Object Reference (IDOR) HIGH

Validate resource ownership before database access using user-supplied IDs

+8 -3 go

  func getUser(c *gin.Context) {
-     userID := c.Param("id")
-     var user User
-     db.First(&user, userID)
+     requestedID := c.Param("id")
+     currentID := c.GetString("user_id")
+     if requestedID != currentID {
+         c.JSON(403, gin.H{"error": "unauthorized"})
+         return
+     }
+     var user User
+     db.First(&user, requestedID)
      c.JSON(200, user)
  }

Potential IDOR - Generic Data Access MEDIUM

Verify resource ownership before returning data accessed by user-supplied identifiers

+6 -1 go

  func getOrder(c *gin.Context) {
      orderID := c.Param("id")
-     order := orders[orderID]
+     currentUserID := c.GetString("user_id")
+     order := orders[orderID]
+     if order.UserID != currentUserID {
+         c.JSON(403, gin.H{"error": "Forbidden"})
+         return
+     }
      c.JSON(200, order)
  }

🟨 JavaScript Alle anzeigen JavaScript Details →

Horizontal Privilege Escalation CRITICAL

Filter queries by authenticated user ID to verify resource ownership

+4 -1 javascript

  app.get('/api/profile/:userId', async (req, res) => {
-   const profile = await User.findOne({ where: { id: req.params.userId } });
+   const profile = await User.findOne({
+     where: { id: req.params.userId, userId: req.user.id }
+   });
+   if (!profile) return res.status(403).json({ error: 'Forbidden' });
    res.json(profile);
  });

Insecure Direct Object Reference (IDOR) HIGH

Include userId in database queries to verify resource ownership before access

+4 -1 javascript

  app.get('/api/orders/:id', async (req, res) => {
-   const order = await Order.findByPk(req.params.id);
+   const order = await Order.findOne({
+     where: { id: req.params.id, userId: req.user.id }
+   });
+   if (!order) return res.status(404).json({ error: 'Not found' });
    res.json(order);
  });

Potential IDOR - Generic Data Access MEDIUM

Verify resource ownership before returning data by checking it belongs to the authenticated user

+3 -0 javascript

  app.get('/api/orders/:id', (req, res) => {
    const order = orderRepo.findById(req.params.id);
+   if (order.userId !== req.user.id) {
+     return res.status(403).json({ error: 'Forbidden' });
+   }
    res.json(order);
  });

🐍 Python Alle anzeigen Python Details →

Insecure Direct Object Reference (IDOR) HIGH

Include the authenticated user as a filter condition in all ORM queries that use user-supplied IDs

+9 -3 python

- def get_document(request, doc_id):
-     requested_id = request.GET.get('id')
-     document = Document.objects.get(id=requested_id)
+ from django.contrib.auth.decorators import login_required
+ 
+ @login_required
+ def get_document(request, doc_id):
+     requested_id = request.GET.get('id')
+     document = Document.objects.get(
+         id=requested_id,
+         owner=request.user
+     )
      return JsonResponse(document.to_dict())

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Authorization Bypass Through User-Controlled Key-Mustern zu scannen. 8 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=639

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (8)

🐹 Go 3 rules

Horizontal Privilege Escalation HIGH

Detects horizontal privilege escalation where users can access or modify other users' resources.

Insecure Direct Object Reference (IDOR) HIGH

Detects IDOR vulnerabilities where user-supplied IDs access resources without authorization checks.

Potential IDOR - Generic Data Access MEDIUM

Detects route parameters flowing to data access without visible ownership verification.

🟨 Javascript 3 rules

Horizontal Privilege Escalation CRITICAL

Detects when user-controlled input is used to access resources belonging to other users at the same privilege level without verifying ownership.

Insecure Direct Object Reference (IDOR) HIGH

Detects when user-controlled input (from URL parameters, query strings, or request body) is used directly to access database records without verifying that the authenticated user has permission to access that specific resource. IDOR vulnerabilities allow attackers to access, modify, or delete resources belonging to other users by manipulating identifiers in requests.

Potential IDOR - Generic Data Access MEDIUM

Detects endpoints where route parameters flow to generic data access patterns (Map.get, object property access, cache lookups, custom repositories) without visible ownership verification in the function. This rule catches patterns that ORM-specific detection misses, but requires human verification that authorization is not enforced elsewhere (middleware, decorators, API gateway, etc.). **This is a "potential" finding - verify authorization exists somewhere.**

🔷 Typescript 3 rules

Horizontal Privilege Escalation CRITICAL

Detects when user-controlled input is used to access resources belonging to other users at the same privilege level without verifying ownership.

Insecure Direct Object Reference (IDOR) HIGH

Potential IDOR - Generic Data Access MEDIUM

🐍 Python 2 rules

Insecure Direct Object Reference (IDOR) HIGH

Detects database object access using user-provided IDs without ownership verification.

Potential IDOR - Generic Data Access MEDIUM

Detects route parameters flowing to generic data access without visible ownership verification.

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Authorization Bypass Through User-Controlled Key-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟠

User can access other users' resources without authorization go-horizontal-privilege-escalation

🟠

horizontal privilege escalation where users can access or modify other users' resources go-horizontal-privilege-escalation

🟠

User-supplied ID used to access resource without authorization check go-idor

🟠

IDOR vulnerabilities where user-supplied IDs access resources without authorization checks go-idor

🟠

when user-controlled input (from URL parameters, query strings, or request body) is used directly to javascript-idor

🟠

database object access using user-provided IDs without ownership verification python-idor

🟡

route parameters flowing to data access without visible ownership verification go-idor-generic

🟡

endpoints where route parameters flow to generic data access patterns (Map javascript-idor-generic

🔍

Scanne deine Codebasis nach Authorization Bypass Through User-Controlled Key

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen