Authorization Bypass Through User-Controlled Key (CWE-639)

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Retrieval of a user record usually occurs in the system based on some key value. When a value that is directly specified by the user is used to look up that record, the key value can be modified to access records belonging to other users.

普遍性

高

频繁被利用

影响

关键

1 条严重级别为关键的规则

预防

已记录

8 个修复示例

2 预防

如何修复此漏洞

基于 8 条 Shoulder 检测规则的 Authorization Bypass via User Key 预防策略。

🐹 Go 查看全部 Go 详情 →

Horizontal Privilege Escalation HIGH

Validate resource ownership before allowing modifications using user-supplied IDs

+8 -1 go

  func updateProfile(c *gin.Context) {
      profileID := c.Param("id")
-     db.Model(&Profile{}).Where("id = ?", profileID).Updates(data)
+     userID := c.GetString("user_id")
+     var profile Profile
+     db.First(&profile, profileID)
+     if profile.UserID != userID {
+         c.JSON(403, gin.H{"error": "unauthorized"})
+         return
+     }
+     db.Model(&profile).Updates(data)
  }

Insecure Direct Object Reference (IDOR) HIGH

Validate resource ownership before database access using user-supplied IDs

+8 -3 go

  func getUser(c *gin.Context) {
-     userID := c.Param("id")
-     var user User
-     db.First(&user, userID)
+     requestedID := c.Param("id")
+     currentID := c.GetString("user_id")
+     if requestedID != currentID {
+         c.JSON(403, gin.H{"error": "unauthorized"})
+         return
+     }
+     var user User
+     db.First(&user, requestedID)
      c.JSON(200, user)
  }

Potential IDOR - Generic Data Access MEDIUM

Verify resource ownership before returning data accessed by user-supplied identifiers

+6 -1 go

  func getOrder(c *gin.Context) {
      orderID := c.Param("id")
-     order := orders[orderID]
+     currentUserID := c.GetString("user_id")
+     order := orders[orderID]
+     if order.UserID != currentUserID {
+         c.JSON(403, gin.H{"error": "Forbidden"})
+         return
+     }
      c.JSON(200, order)
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

Horizontal Privilege Escalation CRITICAL

Filter queries by authenticated user ID to verify resource ownership

+4 -1 javascript

  app.get('/api/profile/:userId', async (req, res) => {
-   const profile = await User.findOne({ where: { id: req.params.userId } });
+   const profile = await User.findOne({
+     where: { id: req.params.userId, userId: req.user.id }
+   });
+   if (!profile) return res.status(403).json({ error: 'Forbidden' });
    res.json(profile);
  });

Insecure Direct Object Reference (IDOR) HIGH

Include userId in database queries to verify resource ownership before access

+4 -1 javascript

  app.get('/api/orders/:id', async (req, res) => {
-   const order = await Order.findByPk(req.params.id);
+   const order = await Order.findOne({
+     where: { id: req.params.id, userId: req.user.id }
+   });
+   if (!order) return res.status(404).json({ error: 'Not found' });
    res.json(order);
  });

Potential IDOR - Generic Data Access MEDIUM

Verify resource ownership before returning data by checking it belongs to the authenticated user

+3 -0 javascript

  app.get('/api/orders/:id', (req, res) => {
    const order = orderRepo.findById(req.params.id);
+   if (order.userId !== req.user.id) {
+     return res.status(403).json({ error: 'Forbidden' });
+   }
    res.json(order);
  });

🐍 Python 查看全部 Python 详情 →

Insecure Direct Object Reference (IDOR) HIGH

Include the authenticated user as a filter condition in all ORM queries that use user-supplied IDs

+9 -3 python

- def get_document(request, doc_id):
-     requested_id = request.GET.get('id')
-     document = Document.objects.get(id=requested_id)
+ from django.contrib.auth.decorators import login_required
+ 
+ @login_required
+ def get_document(request, doc_id):
+     requested_id = request.GET.get('id')
+     document = Document.objects.get(
+         id=requested_id,
+         owner=request.user
+     )
      return JsonResponse(document.to_dict())

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Authorization Bypass Through User-Controlled Key模式。 8 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=639

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (8)

🐹 Go 3 rules

Horizontal Privilege Escalation HIGH

Detects horizontal privilege escalation where users can access or modify other users' resources.

Insecure Direct Object Reference (IDOR) HIGH

Detects IDOR vulnerabilities where user-supplied IDs access resources without authorization checks.

Potential IDOR - Generic Data Access MEDIUM

Detects route parameters flowing to data access without visible ownership verification.

🟨 Javascript 3 rules

Horizontal Privilege Escalation CRITICAL

Detects when user-controlled input is used to access resources belonging to other users at the same privilege level without verifying ownership.

Insecure Direct Object Reference (IDOR) HIGH

Detects when user-controlled input (from URL parameters, query strings, or request body) is used directly to access database records without verifying that the authenticated user has permission to access that specific resource. IDOR vulnerabilities allow attackers to access, modify, or delete resources belonging to other users by manipulating identifiers in requests.

Potential IDOR - Generic Data Access MEDIUM

Detects endpoints where route parameters flow to generic data access patterns (Map.get, object property access, cache lookups, custom repositories) without visible ownership verification in the function. This rule catches patterns that ORM-specific detection misses, but requires human verification that authorization is not enforced elsewhere (middleware, decorators, API gateway, etc.). **This is a "potential" finding - verify authorization exists somewhere.**

🔷 Typescript 3 rules

Horizontal Privilege Escalation CRITICAL

Detects when user-controlled input is used to access resources belonging to other users at the same privilege level without verifying ownership.

Insecure Direct Object Reference (IDOR) HIGH

Potential IDOR - Generic Data Access MEDIUM

🐍 Python 2 rules

Insecure Direct Object Reference (IDOR) HIGH

Detects database object access using user-provided IDs without ownership verification.

Potential IDOR - Generic Data Access MEDIUM

Detects route parameters flowing to generic data access without visible ownership verification.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Authorization Bypass Through User-Controlled Key漏洞。在代码审查和安全审计中注意查找。

🟠

User can access other users' resources without authorization go-horizontal-privilege-escalation

🟠

horizontal privilege escalation where users can access or modify other users' resources go-horizontal-privilege-escalation

🟠

User-supplied ID used to access resource without authorization check go-idor

🟠

IDOR vulnerabilities where user-supplied IDs access resources without authorization checks go-idor

🟠

when user-controlled input (from URL parameters, query strings, or request body) is used directly to javascript-idor

🟠

database object access using user-provided IDs without ownership verification python-idor

🟡

route parameters flowing to data access without visible ownership verification go-idor-generic

🟡

endpoints where route parameters flow to generic data access patterns (Map javascript-idor-generic

🔍

扫描你的代码库: Authorization Bypass Through User-Controlled Key

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则