CME-908

Object-Level Authorization Checks (IDOR Prevention)

Harden Application High Confidence

Description

Enforce per-object ownership and permission verification on every data access operation. Before returning, modifying, or deleting any resource, the application verifies the authenticated caller owns the resource or holds explicit permission to access it. Object identifiers (database IDs, UUIDs, file paths) in API parameters are never trusted as implicit authorization — the application queries ownership metadata and compares against the caller's identity. Prevents Insecure Direct Object Reference (IDOR) attacks where an attacker enumerates or guesses object identifiers to access resources belonging to other users.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Exploitation requires not only discovering valid object identifiers but also bypassing the ownership verification logic; simply enumerating IDs is no longer sufficient for unauthorized access because the authorization layer rejects requests where the caller is not the resource owner.
Confidentiality (C) H L Data exposure is confined to objects the caller owns or is explicitly authorized for; bulk enumeration of other users' data is blocked at the authorization layer before any data is returned.

CWE Relationships

CWE-639 CWE-284

Verification

Inspect application source for object-level ownership checks; test that authenticated users cannot access resources belonging to other users by manipulating object identifiers

$ grep -rn 'owner_id.*==.*current_user\|belongs_to.*user\|authorize_resource\|object_permission\|get_object_or_403\|filter.*user=' <app_source>/
# Expected: Per-object ownership or permission checks present in data access handlers
Platform: any
$ curl -s -o /dev/null -w '%{http_code}' -H 'Authorization: Bearer <user_a_token>' http://localhost:8080/api/v1/documents/<user_b_doc_id>
# Expected: 403 or 404
Platform: any
← CME-907: Application-Layer RBAC Enforcement CME-909: Default-Deny API Authorization Policy →