OpenAPI Extended Security Scheme: A method to reduce the prevalence of Broken Object Level Auth

Our focus is on the OWASP number 1 vulnerability in API Security: Broken Object Level Authorization. The Open API Specification’s (OAS) security properties do not address object authorization and provide no standardized approach to define such object properties. This leaves object-level security at the mercy of developers which presents an increased risk of attack vectors being created unintentionally. We aim to tackle this void by introducing 1) the OAS ESS (OpenAPI Specification Extended Security Scheme) which includes declarative security controls for objects in OAS (design-based approach), and 2) an authorization module that can be imported to API services (Flask/FastAPI) to enforce authorization checks at the object level (development-based approach). When building an API service, a developer can start with the API design (specification) or its code. In both cases, we provide a set of mechanisms to help developers mitigate and reduce the prevalence of BOLA.

BOLA presents itself as much as a human problem, as it is a technical problem. It is not feasible to achieve the best-practice scenario in which every developer is thoroughly aware of BOLA and ensures that code is constructed securely. However, it does minimize the risk significantly when developers can define object security declaratively. In doing so, the complexity of authorization is to be taken to the background of the respective programming environment, presenting a declarative-code entry for developers which automatically generates the associated ACLs for object access. This includes enforcing properties on the metadata of an API; its objects, leading to the requirement of addressing the limitation of Interface Description Languages, such as the OAS.

We will speak about the significance of BOLA, how it is related to the OAS and its widely used implementations, and how to write more secure APIs in design-time and during development for run-time security all whilst adhering to OAS principles.