# Authorization Bypass Through User-Controlled Key (CWE-639) The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. **Stack:** Python - Prevalence: उच्च बार-बार शोषित - Impact: क्रिटिकल 1 क्रिटिकल गंभीरता वाले नियम - Prevention: प्रलेखित 8 फिक्स उदाहरण **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Retrieval of a user record usually occurs in the system based on some key value. When a value that is directly specified by the user is used to look up that record, the key value can be modified to access records belonging to other users. ## Prevention 2 Shoulder डिटेक्शन नियमों पर आधारित Authorization Bypass via User Key के लिए रोकथाम रणनीतियाँ। ### Python Include the authenticated user as a filter condition in all ORM queries that use user-supplied IDs Verify resource ownership before returning data accessed by user-supplied identifiers ## Warning Signs - [HIGH] database object access using user-provided IDs without ownership verification - [MEDIUM] route parameters flowing to generic data access without visible ownership verification ## Consequences - एप्लिकेशन डेटा पढ़ना - एप्लिकेशन डेटा संशोधित करना - विशेषाधिकार प्राप्त करना ## Mitigations - सीधे डेटाबेस keys के बजाय अप्रत्यक्ष संदर्भों (mapping) का उपयोग करें - सत्यापित करें कि वर्तमान उपयोगकर्ता को अनुरोधित संसाधन तक पहुँचने की अनुमति है - हर अनुरोध पर उचित पहुँच नियंत्रण जाँच लागू करें ## Detection - Total rules: 8 - Critical: 1 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects database object access using user-provided IDs without ownership verification. - Remediation: Filter queries by both object ID and current user. ```python document = Document.objects.get(id=doc_id, owner=request.user) ``` Learn more: https://shoulder.dev/learn/python/cwe-639/idor - **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to generic data access without visible ownership verification. - Remediation: Verify ownership before returning data. ```python if order['user_id'] != current_user.id: return jsonify({'error': 'Forbidden'}), 403 ``` Learn more: https://shoulder.dev/learn/python/cwe-639/idor-generic