Hacking APIs: Broken Object Property Level Authorization

APIs are the core of modern apps. They allow users to fetch and update data quickly and easily. But with that power comes risk — especially when it comes to how much of that data a user is allowed to see or change. One common mistake in API design is called Broken Object Property Level Authorization. It happens when an API correctly gives access to an object (like a user profile), but fails to check if the user should see or modify certain fields inside it.

Let’s break this down with real examples and see how you can avoid this mistake.

What Is Broken Object Property Level Authorization?

This vulnerability means a user can access or change properties of an object that should be restricted, even if they are allowed to access the object itself.

A user might:

• See sensitive information (like account status or role)
• Change fields they should not be able to (like making themselves an admin)
• Trigger internal features by sending extra parameters

Example 1: Exposing Hidden Fields in a GET Request

Endpoint:

GET /api/users/me
Authorization: Bearer…