OpenAPI Specification Extended Security Scheme: A method to reduce the prevalence of Broken Object Level Authorization
AI-generated Key Points
⚠The license of the paper does not allow us to build upon its content and the key points are generated using the paper metadata rather than the full article.
- APIs are widely used for inter-service communications and their growth has highlighted the need for better security standards.
- Lack of standardized authorization in the OpenAPI standard is a major concern in API security, which can lead to known and unknown vulnerabilities that malicious actors can exploit, resulting in data loss.
- Broken Object Level Authorization (BOLA) is a major vulnerability affecting various API frameworks, including popular OpenAPI Specification (OAS) implementations like FastAPI and Connexion (Flask).
- The paper introduces two solutions:
- 1. The OAS ESS (OpenAPI Specification Extended Security Scheme), which includes declarative security controls for objects in OAS using a design-based approach.
- 2. An authorization module that can be imported into API services (Flask/FastAPI) to enforce authorization checks at the object level using a development-based approach.
- The aim of introducing these solutions is to improve API security by reducing vulnerabilities caused by improper authorization practices.
- The authors hope that their work will encourage further research into improving API security standards across all frameworks.
Authors: Rami Haddad, Rim El Malki
Abstract: APIs have become the prominent technology of choice for achieving inter-service communications. The growth of API deployments has driven the urgency in addressing its lack of security standards. API Security is a topic for concern given the absence of standardized authorization in the OpenAPI standard, improper authorization opens the possibility for known and unknown vulnerabilities, which in the past years have been exploited by malicious actors resulting in data loss. This paper examines the number one vulnerability in API Security: Broken Object Level Authorization(BOLA), and proposes methods and tools to reduce the prevalence of this vulnerability. BOLA affects various API frameworks, our scope is fixated on the OpenAPI Specification(OAS). The OAS is a standard for describing and implementing APIs; popular OAS Implementations are FastAPI, Connexion (Flask), and many more. These implementations carry the pros and cons that are associated with the OASs knowledge of API properties. The Open API Specifications security properties do not address object authorization and provide no standardized approach to define such object properties. This leaves object-level security at the mercy of developers, which presents an increased risk of unintentionally creating attack vectors. Our aim is to tackle this void by introducing 1) the OAS ESS (OpenAPI Specification Extended Security Scheme) which includes declarative security controls for objects in OAS (design-based approach), and 2) an authorization module that can be imported to API services (Flask/FastAPI) to enforce authorization checks at the object level (development-based approach). When building an API service, a developer can start with the API design (specification) or its code. In both cases, a set of mechanisms are introduced to help developers mitigate and reduce the prevalence of BOLA.
Ask questions about this paper to our AI assistant
You can also chat with multiple papers at once here.
⚠The license of the paper does not allow us to build upon its content and the AI assistant only knows about the paper metadata rather than the full article.
Assess the quality of the AI-generated content by voting
Why do we need votes?
Votes are used to determine whether we need to re-run our summarizing tools. If the count reaches -10, our tools can be restarted.
Similar papers summarized with our AI tools
Navigate through even more similar papers through atree representation
Look for similar papers (in beta version)
By clicking on the button above, our algorithm will scan all papers in our database to find the closest based on the contents of the full papers and not just on metadata. Please note that it only works for papers that we have generated summaries for and you can rerun it from time to time to get a more accurate result while our database grows.
Disclaimer: The AI-based summarization tool and virtual assistant provided on this website may not always provide accurate and complete summaries or responses. We encourage you to carefully review and evaluate the generated content to ensure its quality and relevance to your needs.