Authorization Bypass Through User-Controlled Key (CWE-639)

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Retrieval of a user record usually occurs in the system based on some key value. When a value that is directly specified by the user is used to look up that record, the key value can be modified to access records belonging to other users.

보급률

높음

자주 악용됨

영향

치명적

1개의 치명적 심각도 규칙

예방

문서화됨

8개의 수정 예시

2 예방

이 취약점을 수정하는 방법

8개의 Shoulder 탐지 규칙을 기반으로 한 Authorization Bypass via User Key 예방 전략.

🐹 Go 모두 보기 Go 자세히 →

Horizontal Privilege Escalation HIGH

Validate resource ownership before allowing modifications using user-supplied IDs

+8 -1 go

  func updateProfile(c *gin.Context) {
      profileID := c.Param("id")
-     db.Model(&Profile{}).Where("id = ?", profileID).Updates(data)
+     userID := c.GetString("user_id")
+     var profile Profile
+     db.First(&profile, profileID)
+     if profile.UserID != userID {
+         c.JSON(403, gin.H{"error": "unauthorized"})
+         return
+     }
+     db.Model(&profile).Updates(data)
  }

Insecure Direct Object Reference (IDOR) HIGH

Validate resource ownership before database access using user-supplied IDs

+8 -3 go

  func getUser(c *gin.Context) {
-     userID := c.Param("id")
-     var user User
-     db.First(&user, userID)
+     requestedID := c.Param("id")
+     currentID := c.GetString("user_id")
+     if requestedID != currentID {
+         c.JSON(403, gin.H{"error": "unauthorized"})
+         return
+     }
+     var user User
+     db.First(&user, requestedID)
      c.JSON(200, user)
  }

Potential IDOR - Generic Data Access MEDIUM

Verify resource ownership before returning data accessed by user-supplied identifiers

+6 -1 go

  func getOrder(c *gin.Context) {
      orderID := c.Param("id")
-     order := orders[orderID]
+     currentUserID := c.GetString("user_id")
+     order := orders[orderID]
+     if order.UserID != currentUserID {
+         c.JSON(403, gin.H{"error": "Forbidden"})
+         return
+     }
      c.JSON(200, order)
  }

🟨 JavaScript 모두 보기 JavaScript 자세히 →

Horizontal Privilege Escalation CRITICAL

Filter queries by authenticated user ID to verify resource ownership

+4 -1 javascript

  app.get('/api/profile/:userId', async (req, res) => {
-   const profile = await User.findOne({ where: { id: req.params.userId } });
+   const profile = await User.findOne({
+     where: { id: req.params.userId, userId: req.user.id }
+   });
+   if (!profile) return res.status(403).json({ error: 'Forbidden' });
    res.json(profile);
  });

Insecure Direct Object Reference (IDOR) HIGH

Include userId in database queries to verify resource ownership before access

+4 -1 javascript

  app.get('/api/orders/:id', async (req, res) => {
-   const order = await Order.findByPk(req.params.id);
+   const order = await Order.findOne({
+     where: { id: req.params.id, userId: req.user.id }
+   });
+   if (!order) return res.status(404).json({ error: 'Not found' });
    res.json(order);
  });

Potential IDOR - Generic Data Access MEDIUM

Verify resource ownership before returning data by checking it belongs to the authenticated user

+3 -0 javascript

  app.get('/api/orders/:id', (req, res) => {
    const order = orderRepo.findById(req.params.id);
+   if (order.userId !== req.user.id) {
+     return res.status(403).json({ error: 'Forbidden' });
+   }
    res.json(order);
  });

🐍 Python 모두 보기 Python 자세히 →

Insecure Direct Object Reference (IDOR) HIGH

Include the authenticated user as a filter condition in all ORM queries that use user-supplied IDs

+9 -3 python

- def get_document(request, doc_id):
-     requested_id = request.GET.get('id')
-     document = Document.objects.get(id=requested_id)
+ from django.contrib.auth.decorators import login_required
+ 
+ @login_required
+ def get_document(request, doc_id):
+     requested_id = request.GET.get('id')
+     document = Document.objects.get(
+         id=requested_id,
+         owner=request.user
+     )
      return JsonResponse(document.to_dict())

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Authorization Bypass Through User-Controlled Key 패턴을 스캔하세요. 8 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=639

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (8)

🐹 Go 3 rules

Horizontal Privilege Escalation HIGH

Detects horizontal privilege escalation where users can access or modify other users' resources.

Insecure Direct Object Reference (IDOR) HIGH

Detects IDOR vulnerabilities where user-supplied IDs access resources without authorization checks.

Potential IDOR - Generic Data Access MEDIUM

Detects route parameters flowing to data access without visible ownership verification.

🟨 Javascript 3 rules

Horizontal Privilege Escalation CRITICAL

Detects when user-controlled input is used to access resources belonging to other users at the same privilege level without verifying ownership.

Insecure Direct Object Reference (IDOR) HIGH

Detects when user-controlled input (from URL parameters, query strings, or request body) is used directly to access database records without verifying that the authenticated user has permission to access that specific resource. IDOR vulnerabilities allow attackers to access, modify, or delete resources belonging to other users by manipulating identifiers in requests.

Potential IDOR - Generic Data Access MEDIUM

Detects endpoints where route parameters flow to generic data access patterns (Map.get, object property access, cache lookups, custom repositories) without visible ownership verification in the function. This rule catches patterns that ORM-specific detection misses, but requires human verification that authorization is not enforced elsewhere (middleware, decorators, API gateway, etc.). **This is a "potential" finding - verify authorization exists somewhere.**

🔷 Typescript 3 rules

Horizontal Privilege Escalation CRITICAL

Detects when user-controlled input is used to access resources belonging to other users at the same privilege level without verifying ownership.

Insecure Direct Object Reference (IDOR) HIGH

Potential IDOR - Generic Data Access MEDIUM

🐍 Python 2 rules

Insecure Direct Object Reference (IDOR) HIGH

Detects database object access using user-provided IDs without ownership verification.

Potential IDOR - Generic Data Access MEDIUM

Detects route parameters flowing to generic data access without visible ownership verification.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Authorization Bypass Through User-Controlled Key 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠

User can access other users' resources without authorization go-horizontal-privilege-escalation

🟠

horizontal privilege escalation where users can access or modify other users' resources go-horizontal-privilege-escalation

🟠

User-supplied ID used to access resource without authorization check go-idor

🟠

IDOR vulnerabilities where user-supplied IDs access resources without authorization checks go-idor

🟠

when user-controlled input (from URL parameters, query strings, or request body) is used directly to javascript-idor

🟠

database object access using user-provided IDs without ownership verification python-idor

🟡

route parameters flowing to data access without visible ownership verification go-idor-generic

🟡

endpoints where route parameters flow to generic data access patterns (Map javascript-idor-generic

🔍

코드베이스를 스캔하세요: Authorization Bypass Through User-Controlled Key

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기