# Authorization Bypass Through User-Controlled Key (CWE-639)

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

**Stack:** Go

- Prevalence: High Frequently exploited
- Impact: Critical 1 critical-severity rules
- Prevention: Documented 8 fix examples

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Retrieval of a user record usually occurs in the system based on some key value. When a value that is directly specified by the user is used to look up that record, the key value can be modified to access records belonging to other users.

## Prevention

Prevention strategies for Authorization Bypass via User Key based on 3 Shoulder detection rules.

### Go

Validate resource ownership before allowing modifications using user-supplied IDs

Validate resource ownership before database access using user-supplied IDs

Verify resource ownership before returning data accessed by user-supplied identifiers

## Warning Signs

- [HIGH] User can access other users' resources without authorization
- [HIGH] horizontal privilege escalation where users can access or modify other users' resources
- [HIGH] User-supplied ID used to access resource without authorization check
- [HIGH] IDOR vulnerabilities where user-supplied IDs access resources without authorization checks
- [MEDIUM] route parameters flowing to data access without visible ownership verification

## Consequences

- Read Application Data
- Modify Application Data
- Gain Privileges

## Mitigations

- Use indirect references (mapping) rather than direct database keys
- Validate that the current user has permission to access the requested resource
- Implement proper access control checks on every request

## Detection

- Total rules: 8
- Critical: 1
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (3 rules)

- **Horizontal Privilege Escalation** [HIGH]: Detects horizontal privilege escalation where users can access or modify other users' resources.
  - Remediation: Validate resource ownership before modification.

```go
if profile.UserID != currentUserID {
    return errors.New("unauthorized")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-639/privilege-escalation
- **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects IDOR vulnerabilities where user-supplied IDs access resources without authorization checks.
  - Remediation: Validate ownership before accessing resources.

```go
if requestedID != currentUserID && !isAdmin(currentUserID) {
    return errors.New("unauthorized")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-639/idor
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to data access without visible ownership verification.
  - Remediation: Verify ownership before returning data.

```go
if order.UserID != currentUserID {
    c.JSON(403, gin.H{"error": "Forbidden"})
    return
}
```

Learn more: https://shoulder.dev/learn/go/cwe-639/idor-generic