APIs have become the prominent technology of choice for achieving inter-service communications. The growth of API deployments has driven the urgency in addressing its lack of security standards. API Security is a topic for concern given the absence of standardized authorization in the OpenAPI standard, improper authorization opens the possibility for known and unknown vulnerabilities, which in the past years have been exploited by malicious actors resulting in data loss. This paper examines the number one vulnerability in API Security: Broken Object Level Authorization(BOLA), and proposes methods and tools to reduce the prevalence of this vulnerability. BOLA affects various API frameworks, our scope is fixated on the OpenAPI Specification(OAS). The OAS is a standard for describing and implementing APIs; popular OAS Implementations are FastAPI, Connexion (Flask), and many more. These implementations carry the pros and cons that are associated with the OASs knowledge of API properties. The Open API Specifications security properties do not address object authorization and provide no standardized approach to define such object properties. This leaves object-level security at the mercy of developers, which presents an increased risk of unintentionally creating attack vectors. Our aim is to tackle this void by introducing 1) the OAS ESS (OpenAPI Specification Extended Security Scheme) which includes declarative security controls for objects in OAS (design-based approach), and 2) an authorization module that can be imported to API services (Flask/FastAPI) to enforce authorization checks at the object level (development-based approach). When building an API service, a developer can start with the API design (specification) or its code. In both cases, a set of mechanisms are introduced to help developers mitigate and reduce the prevalence of BOLA.

翻译：API已成为实现服务间通信的主流技术选择。API部署的增长加剧了解决其安全标准缺失问题的紧迫性。由于OpenAPI标准缺乏标准化授权机制，API安全已成为值得关注的重要议题。不当授权可能导致已知和未知漏洞的滋生，过去数年中恶意攻击者已利用此类漏洞造成数据丢失。本文深入研究了API安全领域的首要漏洞——对象级授权漏洞（BOLA），并提出降低该漏洞普遍性的方法与工具。BOLA影响多种API框架，本文研究范围聚焦于OpenAPI规范（OAS）。OAS作为描述与实现API的行业标准，其主流实现包括FastAPI、Connexion（Flask）等。这些实现方案兼具OAS对API属性认知的优劣特性。现行OpenAPI规范的安全属性未涵盖对象授权机制，也未提供定义此类对象属性的标准化方法，导致对象级安全完全依赖开发人员自主实现，从而无意中创建攻击向量的风险显著增加。本研究旨在通过引入以下方案填补该空白：1）OAS ESS（OpenAPI规范扩展安全方案），该方案包含OAS中对象的声明式安全控制（基于设计的方法）；2）可导入API服务（Flask/FastAPI）的授权模块，用于在对象级执行授权检查（基于开发的方法）。开发人员在构建API服务时，可从API设计（规范）或代码编写任一环节入手。针对这两种场景，本文提出了一套机制体系，以协助开发人员有效缓解并降低BOLA的普遍性。