Broken Object Level Authorization

Broken Object Level Authorization in Go (Gin) [Month Year] [GHSA-phqm-jgc3-qf8g]

[Updated month year] Updated GHSA-phqm-jgc3-qf8g

Overview

Broken Object Level Authorization (BOLA) vulnerabilities enable attackers to access, modify, or delete resources that belong to other users by simply altering a parameter that identifies the object in a request. In Go services using the Gin framework, such issues frequently arise when endpoints rely on path parameters like /resources/:id and fetch the resource from storage without verifying that the authenticated user owns or is permitted to access that resource. The real-world impact can include sensitive data exposure, data integrity breaches, and violations of privacy regulations, especially in multi-tenant or multi-user applications. Attackers can perform targeted data gathering or mass enumeration to map ownership relationships and escalate access across API surfaces if proper authorization checks are missing. In Gin-based apps, this vulnerability often shows up when a handler uses c.Param("id") or similar user-provided identifiers to fetch and return a resource without performing ownership or permission checks against the authenticated user. Even if authentication is present (for example via JWT), authorization must still be enforced at the resource boundary. Without this, an authenticated user might freely access others' data, write to others' resources, or trigger actions that should be restricted.

Code Fix Example

Go (Gin) API Security Remediation 
package main

import (
  "net/http"
  "github.com/gin-gonic/gin"
)

type User struct {
  ID string
  Name string
  OwnerID string
}

var store = map[string]User{
  "1": {ID: "1", Name: "Alice", OwnerID: "alice"},
  "2": {ID: "2", Name: "Bob", OwnerID: "bob"},
}

func fetchUserByID(id string) (User, bool) {
  u, ok := store[id]
  return u, ok
}

func main() {
  r := gin.Default()

  r.Use(func(c *gin.Context) {
    c.Set("user", "alice")
    c.Next()
  })

  // Vulnerable: no authorization check
  r.GET("/vulnerable/users/:id", func(c *gin.Context) {
    id := c.Param("id")
    if u, ok := fetchUserByID(id); ok {
      c.JSON(http.StatusOK, u)
      return
    }
    c.Status(http.StatusNotFound)
  })

  // Secure: checks ownership before returning resource
  r.GET("/secure/users/:id", func(c *gin.Context) {
    id := c.Param("id")
    current := c.GetString("user")
    if u, ok := fetchUserByID(id); ok {
      if u.OwnerID != current {
        c.Status(http.StatusForbidden)
        return
      }
      c.JSON(http.StatusOK, u)
      return
    }
    c.Status(http.StatusNotFound)
  })

  r.Run()
}

CVE References

More Go (Gin) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.