Spot the access-control flaw in this endpoint.

Vulnerable code

javascript

app.get('/api/orders/:id', requireAuth, async (req, res) => {
  const order = await db.orders.findById(req.params.id);
  res.json(order);
});

Broken Object-Level Authorization

Fixed

javascript

app.get('/api/orders/:id', requireAuth, async (req, res) => {
  const order = await db.orders.findById(req.params.id);
  if (!order || order.userId !== req.user.id) return res.sendStatus(404);
  res.json(order);
});

The handler fetches the order by id but never checks the order belongs to the authenticated user — a classic IDOR/BOLA. Add an ownership check (or scope the query by user_id) before returning the resource.

References

OWASP API1:2023

Practice this in the app →