Insecure Direct Object Reference in Chi with Mutual Tls

Insecure Direct Object Reference (IDOR) occurs when an API exposes internal resource identifiers (such as numeric IDs or UUIDs) without enforcing that the requesting identity is authorized for that specific object. In Chi, this commonly manifests when route parameters like :id are bound directly to database queries without a per-request ownership or permission check. Even when Mutual TLS (mTLS) is used for client authentication, IDOR can still exist because mTLS primarily authenticates the client (device or service) at the transport layer and does not by itself enforce application-level authorization.

Mutual TLS in Chi is typically implemented via TLS configuration at the server or load balancer, and within application logic you may inspect the client certificate to derive a principal (e.g., a subject or serial). If your handlers assume that a valid mTLS certificate equates to full access to resources, they inadvertently create an authorization gap: a legitimately authenticated client can iterate over IDs and access data belonging to other clients. Attackers can exploit this by capturing or guessing valid resource identifiers and issuing requests with a legitimate mTLS client certificate, resulting in unauthorized read or modification of data.

For example, consider a Chi route that retrieves a user profile using a numeric ID from the URL while verifying only that a client certificate is present. An attacker with a valid mTLS credential can change the ID parameter to access other users’ profiles. Because the scan types in middleBrick test unauthenticated attack surfaces and include authorization checks such as BOLA/IDOR, findings may highlight cases where mTLS is present but object-level permissions are missing. The OpenAPI/Swagger spec analysis (with full $ref resolution) helps correlate runtime behavior with documented routes, ensuring that IDOR risks are identified alongside mTLS usage.

To detect this combination during scanning, tools like middleBrick run parallel checks that map authenticated endpoints (identified via mTLS or other auth mechanisms) against authorization-sensitive operations. Findings typically note that authentication (mTLS) does not imply authorization, and they prioritize remediation guidance that aligns with OWASP API Top 10 A01:2023 — Broken Access Control. PCI-DSS, SOC2, HIPAA, and GDPR may also be referenced when sensitive data is involved, underscoring the need for explicit object ownership checks even when transport-layer mutual authentication is in place.

Remediation centers on ensuring that every handler validates authorization on the resource itself, independent of the client certificate’s validity. In Chi, this means enriching your route handlers with a per-request authorization step that confirms the authenticated principal (derived from the client certificate) has permission to access the requested object. Below are concrete code examples for a Chi application using mutual TLS, demonstrating how to bind a certificate-derived identity and enforce object-level permissions.

Example: Minimal Chi app with mTLS and IDOR-safe authorization

(ns myapp.handler
  (:require [cheshire.core :as json]
            [ring.util.response :as resp]
            [compojure.core :refer [GET defroutes]]
            [compojure.route :as route]
            [hiccup.page :refer [html5]]))

;; Assume we have a function that extracts subject from the client cert
;; presented during mutual TLS handshake. This is typically available
;; via :ssl-client-cert in the request map.
(defn get-principal-from-cert [request]
  (when-let [cert (get-in request [:ssl-client-cert :subject])]
    ;; Simplified: extract a user-id or API-key from the certificate subject
    (some-> cert (re-find #"CN=([^,]+)") second)))

;; Authorization check: ensure the requesting principal owns the resource.
(defn can-access-profile? [principal user-id]
  ;; In production, this would query a permissions service or enforce a policy.
  (= principal user-id))

(defroutes app-routes
  (GET "/profiles/:id" request
    (let [principal (get-principal-from-cert request)
          {:keys [id]} (params request)
          profile (some-> id (fetch-profile-from-db))] ;; returns map or nil
      (if (and principal profile (can-access-profile? principal (:user_id profile)))
        (resp/response (json/generate-string profile))
        (resp/status (resp/response {:error "Forbidden"}) 403))))

  (route/not-found "Not Found"))

In this example, get-principal-from-cert extracts an identity from the mTLS certificate, and can-access-profile? enforces that the principal matches the owning user ID stored on the profile. This ensures that even when mTLS provides transport-layer authentication, the handler still performs an object-level authorization check, closing the IDOR vector.

Middleware approach for consistent enforcement

Applying authorization in middleware can reduce duplication and ensure coverage across many routes. Below is a Chi middleware snippet that attaches a principal and optionally enforces a resource ownership policy for selected endpoints.

(ns myapp.middleware
  (:require [ring.util.response :as resp]))

(defn wrap-authorize-object [handler resource-fn]
  (fn [request]
    (if-let [principal (get-principal-from-cert request)]
      (let [response (handler (assoc request :principal principal))]
        response)
      (resp/status (resp/response {:error "Unauthorized"}) 401))))

;; Usage in routes definition
(defroutes app-routes
  (wrap-authorize-object
    (fn [request]
      (let [id (some-> request :params :id parse-long)]
        (if-let [profile (fetch-profile id)]
          (if (= (:user_id profile) (:principal request))
            (resp/ok (json/generate-string profile))
            (resp/status (resp/response {:error "Forbidden"}) 403))
          (resp/not-found "Profile not found"))))
    get-principal-from-cert))

These patterns align with remediation guidance that middleBrick provides in its findings: authenticate with mTLS, then enforce per-request, object-level permissions. The scans include checks for missing authorization on authenticated endpoints and can surface IDOR risks even when mTLS is in use, helping teams map findings to compliance frameworks such as OWASP API Top 10 and SOC2.