# Authorization Bypass Through User-Controlled Key (CWE-639)

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

**Stack:** Go

- Prevalence: Élevée Fréquemment exploitée
- Impact: Critique 1 règles de sévérité critique
- Prevention: Documentée 8 exemples de correctifs

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Retrieval of a user record usually occurs in the system based on some key value. When a value that is directly specified by the user is used to look up that record, the key value can be modified to access records belonging to other users.

## Prevention

Stratégies de prévention pour Authorization Bypass via User Key basées sur 3 règles de détection Shoulder.

### Go

Validate resource ownership before allowing modifications using user-supplied IDs

Validate resource ownership before database access using user-supplied IDs

Verify resource ownership before returning data accessed by user-supplied identifiers

## Warning Signs

- [HIGH] User can access other users' resources without authorization
- [HIGH] horizontal privilege escalation where users can access or modify other users' resources
- [HIGH] User-supplied ID used to access resource without authorization check
- [HIGH] IDOR vulnerabilities where user-supplied IDs access resources without authorization checks
- [MEDIUM] route parameters flowing to data access without visible ownership verification

## Consequences

- Lecture des données de l'application
- Modification des données de l'application
- Obtenir des privilèges

## Mitigations

- Utilisez des références indirectes (mapping) plutôt que des clés de base de données directes
- Vérifiez que l'utilisateur courant a la permission d'accéder à la ressource demandée
- Mettez en place des contrôles d'accès appropriés sur chaque requête

## Detection

- Total rules: 8
- Critical: 1
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (3 rules)

- **Horizontal Privilege Escalation** [HIGH]: Detects horizontal privilege escalation where users can access or modify other users' resources.
  - Remediation: Validate resource ownership before modification.

```go
if profile.UserID != currentUserID {
    return errors.New("unauthorized")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-639/privilege-escalation
- **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects IDOR vulnerabilities where user-supplied IDs access resources without authorization checks.
  - Remediation: Validate ownership before accessing resources.

```go
if requestedID != currentUserID && !isAdmin(currentUserID) {
    return errors.New("unauthorized")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-639/idor
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to data access without visible ownership verification.
  - Remediation: Verify ownership before returning data.

```go
if order.UserID != currentUserID {
    c.JSON(403, gin.H{"error": "Forbidden"})
    return
}
```

Learn more: https://shoulder.dev/learn/go/cwe-639/idor-generic