API3:2023 — Broken Object Property Level Authorization
Verified by Precogs Threat Research
What is Broken Property Level Authorization?
APIs that expose or allow modification of object properties that should be restricted. Combines mass assignment and excessive data exposure — APIs returning all object fields when only a subset is needed, or accepting property updates without authorization checks.
Impact
Enables privilege escalation (e.g., changing user.role=admin) and data leakage (API returning sensitive fields like SSN, credit card numbers).
How Precogs AI Addresses API3
Precogs AI detects mass assignment vulnerabilities and excessive data exposure in API responses, identifying endpoints that return or accept unauthorized properties.