Authorization Bypass Through User-Controlled Key (CWE-639)

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Retrieval of a user record usually occurs in the system based on some key value. When a value that is directly specified by the user is used to look up that record, the key value can be modified to access records belonging to other users.

Prevalencia

Alta

Frecuentemente explotada

Impacto

Crítico

1 reglas de severidad crítica

Prevención

Documentada

8 ejemplos de corrección

2 Prevención

Cómo corregir esta vulnerabilidad

Estrategias de prevención para Authorization Bypass via User Key basadas en 8 reglas de detección de Shoulder.

🐹 Go Ver todo Go detalles →

Horizontal Privilege Escalation HIGH

Validate resource ownership before allowing modifications using user-supplied IDs

+8 -1 go

  func updateProfile(c *gin.Context) {
      profileID := c.Param("id")
-     db.Model(&Profile{}).Where("id = ?", profileID).Updates(data)
+     userID := c.GetString("user_id")
+     var profile Profile
+     db.First(&profile, profileID)
+     if profile.UserID != userID {
+         c.JSON(403, gin.H{"error": "unauthorized"})
+         return
+     }
+     db.Model(&profile).Updates(data)
  }

Insecure Direct Object Reference (IDOR) HIGH

Validate resource ownership before database access using user-supplied IDs

+8 -3 go

  func getUser(c *gin.Context) {
-     userID := c.Param("id")
-     var user User
-     db.First(&user, userID)
+     requestedID := c.Param("id")
+     currentID := c.GetString("user_id")
+     if requestedID != currentID {
+         c.JSON(403, gin.H{"error": "unauthorized"})
+         return
+     }
+     var user User
+     db.First(&user, requestedID)
      c.JSON(200, user)
  }

Potential IDOR - Generic Data Access MEDIUM

Verify resource ownership before returning data accessed by user-supplied identifiers

+6 -1 go

  func getOrder(c *gin.Context) {
      orderID := c.Param("id")
-     order := orders[orderID]
+     currentUserID := c.GetString("user_id")
+     order := orders[orderID]
+     if order.UserID != currentUserID {
+         c.JSON(403, gin.H{"error": "Forbidden"})
+         return
+     }
      c.JSON(200, order)
  }

🟨 JavaScript Ver todo JavaScript detalles →

Horizontal Privilege Escalation CRITICAL

Filter queries by authenticated user ID to verify resource ownership

+4 -1 javascript

  app.get('/api/profile/:userId', async (req, res) => {
-   const profile = await User.findOne({ where: { id: req.params.userId } });
+   const profile = await User.findOne({
+     where: { id: req.params.userId, userId: req.user.id }
+   });
+   if (!profile) return res.status(403).json({ error: 'Forbidden' });
    res.json(profile);
  });

Insecure Direct Object Reference (IDOR) HIGH

Include userId in database queries to verify resource ownership before access

+4 -1 javascript

  app.get('/api/orders/:id', async (req, res) => {
-   const order = await Order.findByPk(req.params.id);
+   const order = await Order.findOne({
+     where: { id: req.params.id, userId: req.user.id }
+   });
+   if (!order) return res.status(404).json({ error: 'Not found' });
    res.json(order);
  });

Potential IDOR - Generic Data Access MEDIUM

Verify resource ownership before returning data by checking it belongs to the authenticated user

+3 -0 javascript

  app.get('/api/orders/:id', (req, res) => {
    const order = orderRepo.findById(req.params.id);
+   if (order.userId !== req.user.id) {
+     return res.status(403).json({ error: 'Forbidden' });
+   }
    res.json(order);
  });

🐍 Python Ver todo Python detalles →

Insecure Direct Object Reference (IDOR) HIGH

Include the authenticated user as a filter condition in all ORM queries that use user-supplied IDs

+9 -3 python

- def get_document(request, doc_id):
-     requested_id = request.GET.get('id')
-     document = Document.objects.get(id=requested_id)
+ from django.contrib.auth.decorators import login_required
+ 
+ @login_required
+ def get_document(request, doc_id):
+     requested_id = request.GET.get('id')
+     document = Document.objects.get(
+         id=requested_id,
+         owner=request.user
+     )
      return JsonResponse(document.to_dict())

3 Detección

Encuentra vulnerabilidades en tu código

Usa Shoulder para escanear tu código en busca de patrones Authorization Bypass Through User-Controlled Key. 8 reglas.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=639

# Or scan entire project
npx @shoulderdev/cli trust .

Reglas de Detección (8)

🐹 Go 3 rules

Horizontal Privilege Escalation HIGH

Detects horizontal privilege escalation where users can access or modify other users' resources.

Insecure Direct Object Reference (IDOR) HIGH

Detects IDOR vulnerabilities where user-supplied IDs access resources without authorization checks.

Potential IDOR - Generic Data Access MEDIUM

Detects route parameters flowing to data access without visible ownership verification.

🟨 Javascript 3 rules

Horizontal Privilege Escalation CRITICAL

Detects when user-controlled input is used to access resources belonging to other users at the same privilege level without verifying ownership.

Insecure Direct Object Reference (IDOR) HIGH

Detects when user-controlled input (from URL parameters, query strings, or request body) is used directly to access database records without verifying that the authenticated user has permission to access that specific resource. IDOR vulnerabilities allow attackers to access, modify, or delete resources belonging to other users by manipulating identifiers in requests.

Potential IDOR - Generic Data Access MEDIUM

Detects endpoints where route parameters flow to generic data access patterns (Map.get, object property access, cache lookups, custom repositories) without visible ownership verification in the function. This rule catches patterns that ORM-specific detection misses, but requires human verification that authorization is not enforced elsewhere (middleware, decorators, API gateway, etc.). **This is a "potential" finding - verify authorization exists somewhere.**

🔷 Typescript 3 rules

Horizontal Privilege Escalation CRITICAL

Detects when user-controlled input is used to access resources belonging to other users at the same privilege level without verifying ownership.

Insecure Direct Object Reference (IDOR) HIGH

Potential IDOR - Generic Data Access MEDIUM

🐍 Python 2 rules

Insecure Direct Object Reference (IDOR) HIGH

Detects database object access using user-provided IDs without ownership verification.

Potential IDOR - Generic Data Access MEDIUM

Detects route parameters flowing to generic data access without visible ownership verification.

4 Señales de Alerta

Qué buscar en las revisiones de código

Estos patrones indican vulnerabilidades potenciales de Authorization Bypass Through User-Controlled Key. Búscalos durante las revisiones de código y auditorías de seguridad.

🟠

User can access other users' resources without authorization go-horizontal-privilege-escalation

🟠

horizontal privilege escalation where users can access or modify other users' resources go-horizontal-privilege-escalation

🟠

User-supplied ID used to access resource without authorization check go-idor

🟠

IDOR vulnerabilities where user-supplied IDs access resources without authorization checks go-idor

🟠

when user-controlled input (from URL parameters, query strings, or request body) is used directly to javascript-idor

🟠

database object access using user-provided IDs without ownership verification python-idor

🟡

route parameters flowing to data access without visible ownership verification go-idor-generic

🟡

endpoints where route parameters flow to generic data access patterns (Map javascript-idor-generic

🔍

Escanea tu base de código para Authorization Bypass Through User-Controlled Key

Shoulder CLI encuentra patrones vulnerables en toda tu base de código.

npx shoulder trust Ver todas las reglas