# Authorization Bypass Through User-Controlled Key (CWE-639)

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

- Prevalence: High Frequently exploited
- Impact: Critical 1 critical-severity rules
- Prevention: Documented 8 fix examples

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Retrieval of a user record usually occurs in the system based on some key value. When a value that is directly specified by the user is used to look up that record, the key value can be modified to access records belonging to other users.

## Prevention

Prevention strategies for Authorization Bypass via User Key based on 8 Shoulder detection rules.

### Go

Validate resource ownership before allowing modifications using user-supplied IDs

Validate resource ownership before database access using user-supplied IDs

Verify resource ownership before returning data accessed by user-supplied identifiers

### Node.js

Filter queries by authenticated user ID to verify resource ownership

Include userId in database queries to verify resource ownership before access

Verify resource ownership before returning data by checking it belongs to the authenticated user

### Python

Include the authenticated user as a filter condition in all ORM queries that use user-supplied IDs

## Warning Signs

- [HIGH] User can access other users' resources without authorization
- [HIGH] horizontal privilege escalation where users can access or modify other users' resources
- [HIGH] User-supplied ID used to access resource without authorization check
- [HIGH] IDOR vulnerabilities where user-supplied IDs access resources without authorization checks
- [HIGH] when user-controlled input (from URL parameters, query strings, or request body)
is used directly to
- [HIGH] database object access using user-provided IDs without ownership
verification
- [MEDIUM] route parameters flowing to data access without visible ownership verification
- [MEDIUM] endpoints where route parameters flow to generic data access patterns
(Map

## Consequences

- Read Application Data
- Modify Application Data
- Gain Privileges

## Mitigations

- Use indirect references (mapping) rather than direct database keys
- Validate that the current user has permission to access the requested resource
- Implement proper access control checks on every request

## Detection

- Total rules: 8
- Critical: 1
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (3 rules)

- **Horizontal Privilege Escalation** [HIGH]: Detects horizontal privilege escalation where users can access or modify other users' resources.
  - Remediation: Validate resource ownership before modification.

```go
if profile.UserID != currentUserID {
    return errors.New("unauthorized")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-639/privilege-escalation
- **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects IDOR vulnerabilities where user-supplied IDs access resources without authorization checks.
  - Remediation: Validate ownership before accessing resources.

```go
if requestedID != currentUserID && !isAdmin(currentUserID) {
    return errors.New("unauthorized")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-639/idor
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to data access without visible ownership verification.
  - Remediation: Verify ownership before returning data.

```go
if order.UserID != currentUserID {
    c.JSON(403, gin.H{"error": "Forbidden"})
    return
}
```

Learn more: https://shoulder.dev/learn/go/cwe-639/idor-generic

### Javascript (3 rules)

- **Horizontal Privilege Escalation** [CRITICAL]: Detects when user-controlled input is used to access resources belonging to other users
at the same privilege level without verifying ownership.
  - Remediation: Filter queries by authenticated user ID to verify ownership.

```javascript
const profile = await User.findOne({
  where: { id: req.params.userId, userId: req.user.id }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-639/horizontal-privilege-escalation
- **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects when user-controlled input (from URL parameters, query strings, or request body)
is used directly to access database records without verifying that the authenticated
user has permission to access that specific resource.

IDOR vulnerabilities allow attackers to access, modify, or delete resources belonging
to other users by manipulating identifiers in requests.
  - Remediation: Include userId in queries to verify resource ownership before access.

```javascript
const order = await Order.findOne({
  where: { id: req.params.id, userId: req.user.id }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-639/idor
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects endpoints where route parameters flow to generic data access patterns
(Map.get, object property access, cache lookups, custom repositories) without
visible ownership verification in the function.

This rule catches patterns that ORM-specific detection misses, but requires
human verification that authorization is not enforced elsewhere (middleware,
decorators, API gateway, etc.).

**This is a "potential" finding - verify authorization exists somewhere.**
  - Remediation: Verify ownership before returning data by checking resource belongs to authenticated user.

```javascript
const order = orders.get(req.params.id);
if (order.userId !== req.user.id) {
  return res.status(403).json({ error: 'Forbidden' });
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-639/idor-generic

### Typescript (3 rules)

- **Horizontal Privilege Escalation** [CRITICAL]: Detects when user-controlled input is used to access resources belonging to other users
at the same privilege level without verifying ownership.
  - Remediation: Filter queries by authenticated user ID to verify ownership.

```javascript
const profile = await User.findOne({
  where: { id: req.params.userId, userId: req.user.id }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-639/horizontal-privilege-escalation
- **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects when user-controlled input (from URL parameters, query strings, or request body)
is used directly to access database records without verifying that the authenticated
user has permission to access that specific resource.

IDOR vulnerabilities allow attackers to access, modify, or delete resources belonging
to other users by manipulating identifiers in requests.
  - Remediation: Include userId in queries to verify resource ownership before access.

```javascript
const order = await Order.findOne({
  where: { id: req.params.id, userId: req.user.id }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-639/idor
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects endpoints where route parameters flow to generic data access patterns
(Map.get, object property access, cache lookups, custom repositories) without
visible ownership verification in the function.

This rule catches patterns that ORM-specific detection misses, but requires
human verification that authorization is not enforced elsewhere (middleware,
decorators, API gateway, etc.).

**This is a "potential" finding - verify authorization exists somewhere.**
  - Remediation: Verify ownership before returning data by checking resource belongs to authenticated user.

```javascript
const order = orders.get(req.params.id);
if (order.userId !== req.user.id) {
  return res.status(403).json({ error: 'Forbidden' });
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-639/idor-generic

### Python (2 rules)

- **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects database object access using user-provided IDs without ownership
verification.
  - Remediation: Filter queries by both object ID and current user.

```python
document = Document.objects.get(id=doc_id, owner=request.user)
```

Learn more: https://shoulder.dev/learn/python/cwe-639/idor
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to generic data access without visible
ownership verification.
  - Remediation: Verify ownership before returning data.

```python
if order['user_id'] != current_user.id:
    return jsonify({'error': 'Forbidden'}), 403
```

Learn more: https://shoulder.dev/learn/python/cwe-639/idor-generic