# Authorization Bypass Through User-Controlled Key (CWE-639)

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

**Stack:** Python

- Prevalence: Hoch Häufig ausgenutzt
- Impact: Kritisch 1 Regeln mit kritischem Schweregrad
- Prevention: Dokumentiert 8 Fix-Beispiele

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Retrieval of a user record usually occurs in the system based on some key value. When a value that is directly specified by the user is used to look up that record, the key value can be modified to access records belonging to other users.

## Prevention

Präventionsstrategien für Authorization Bypass via User Key basierend auf 2 Shoulder-Erkennungsregeln.

### Python

Include the authenticated user as a filter condition in all ORM queries that use user-supplied IDs

Verify resource ownership before returning data accessed by user-supplied identifiers

## Warning Signs

- [HIGH] database object access using user-provided IDs without ownership
verification
- [MEDIUM] route parameters flowing to generic data access without visible
ownership verification

## Consequences

- Anwendungsdaten lesen
- Anwendungsdaten ändern
- Privilegien erlangen

## Mitigations

- Indirekte Referenzen (Mappings) statt direkter Datenbankschlüssel verwenden
- Sicherstellen, dass der aktuelle Benutzer berechtigt ist, auf die angeforderte Ressource zuzugreifen
- Auf jeder Anfrage ordnungsgemäße Zugriffskontrollen implementieren

## Detection

- Total rules: 8
- Critical: 1
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (2 rules)

- **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects database object access using user-provided IDs without ownership
verification.
  - Remediation: Filter queries by both object ID and current user.

```python
document = Document.objects.get(id=doc_id, owner=request.user)
```

Learn more: https://shoulder.dev/learn/python/cwe-639/idor
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to generic data access without visible
ownership verification.
  - Remediation: Verify ownership before returning data.

```python
if order['user_id'] != current_user.id:
    return jsonify({'error': 'Forbidden'}), 403
```

Learn more: https://shoulder.dev/learn/python/cwe-639/idor-generic