Broken Object Property Level Authorization in ASP.NET Core [CVE-2017-0249]

Broken Object Property Level Authorization exposes internal object properties to clients due to insufficient control over serialized data. In real-world terms, CVE-2017-0249 has been described as an elevation of privilege when ASP.NET Core fails to properly sanitize web requests, allowing attackers to access object properties that should remain private. This pattern aligns with CWE-20 (Improper Input Validation) by failing to filter or validate data before returning it in API responses, which can lead to privilege escalation via the object graph. Attackers can exploit this by retrieving or manipulating fields that reveal roles, permissions, or secrets embedded in domain models. When ASP.NET Core controllers return EF Core entities directly or rely on client-provided data to shape responses, sensitive properties (for example IsAdmin, PasswordHash, or internal flags) can be exposed. If a client can influence serialization, binding, or field selection, they may elevate privileges or access resources beyond their authorization. Remediation requires explicit data shaping, strict binding, and server-side authorization controls. Use DTOs or view models for all API outputs, project only the allowed fields, and avoid returning domain models directly. Apply [Bind] to limit input properties, decorate sensitive properties with [JsonIgnore], and consider policy-based or field-level authorization to suppress fields according to user permissions. Ensure your ASP.NET Core version is patched and monitor CVE advisories for related fixes. Additionally, add automated tests that verify sensitive fields are not serialized for inappropriate roles and review your data access patterns to prevent object-property leakage.