APIs have become the prominent technology of choice for achieving inter-service communications. The growth of API deployments has driven the urgency in addressing its lack of security standards. API Security is a topic for concern given the absence of standardized authorization in the OpenAPI standard, improper authorization opens the possibility for known and unknown vulnerabilities, which in the past years have been exploited by malicious actors resulting in data loss. This paper examines the number one vulnerability in API Security: Broken Object Level Authorization(BOLA), and proposes methods and tools to reduce the prevalence of this vulnerability. BOLA affects various API frameworks, our scope is fixated on the OpenAPI Specification(OAS). The OAS is a standard for describing and implementing APIs; popular OAS Implementations are FastAPI, Connexion (Flask), and many more. These implementations carry the pros and cons that are associated with the OASs knowledge of API properties. The Open API Specifications security properties do not address object authorization and provide no standardized approach to define such object properties. This leaves object-level security at the mercy of developers, which presents an increased risk of unintentionally creating attack vectors. Our aim is to tackle this void by introducing 1) the OAS ESS (OpenAPI Specification Extended Security Scheme) which includes declarative security controls for objects in OAS (design-based approach), and 2) an authorization module that can be imported to API services (Flask/FastAPI) to enforce authorization checks at the object level (development-based approach). When building an API service, a developer can start with the API design (specification) or its code. In both cases, a set of mechanisms are introduced to help developers mitigate and reduce the prevalence of BOLA.

翻译：API已成为实现服务间通信的主流技术选择。API部署规模的快速增长加剧了应对其安全标准缺失的紧迫性。鉴于OpenAPI标准缺乏标准化授权机制，不当授权为已知及未知漏洞提供了可乘之机。近年来这些漏洞已被恶意攻击者利用，导致数据泄露事件频发。本文聚焦API安全领域首要威胁：对象级授权缺陷（BOLA），并提出了降低该漏洞普遍性的方法与工具。BOLA影响多种API框架，本研究范围限定于OpenAPI规范（OAS）。OAS是描述和实现API的标准规范，常见的OAS实现包括FastAPI、Connexion（Flask）等。这些实现继承了OAS对API属性认知的优缺点。OpenAPI规范的安全属性未涉及对象授权，也未提供定义此类对象属性的标准化方法。这使得对象级安全完全依赖开发者，从而增加了无意中创建攻击向量的风险。我们的目标是填补这一空白，引入：1）OAS ESS（OpenAPI规范扩展安全方案），在OAS中包含面向对象的声明式安全控制（基于设计的方法）；2）可导入API服务（Flask/FastAPI）的授权模块，用于在对象级强制实施授权检查（基于开发的方法）。在构建API服务时，开发者可以从API设计（规范）或代码入手。针对这两种情况，我们提出了一套机制来帮助开发者缓解和降低BOLA的普遍性。