Broken Object Level Authorization (BOLA)
This post focuses on API1:2023 Broken Object Level Authorization also called Indirect Object Reference (IDOR). We will take an in-depth look into the details, the impact and what can be done to prevent BOLA attacks in your application. BOLA is the #1 attack technique in the OWASP API Top-10 2023 list.
Summary
The application behind the API fails to validate object permission. The attacker manipulates the object in the API to gain access to data or functionality they shouldn’t have access to.
Details
To understand BOLA, let’s start with the concepts of authentication and authorization. Authentication is the mechanism to confirm someone’s identity while Authorization is about checking the permissions of the entity to perform a specific operation.
When someone logs into an application, authentication is performed. It’s typically done at the beginning of the session and persists for the entire duration of the session.
When an entity performs an operation in the application, it’s permissions to access and perform that operation needs to be checked which is Authorization to perform certain operation. Authorization or permission check to perform certain operation needs to be done every time certain operation is performed.
If the application doesn’t do so, then the authenticated user may be able to access objects they shouldn’t. In most cases, this is accomplished by manipulating the object included in the API call. For example, an API call to cancel an order may reference an order-ID. If changing order-ID to another’s user results in a successful cancellation of the order, then the application is vulnerable to BOLA.
Impact
Attackers use BOLA vulnerabilities to access data or part of the application that should be restricted. They also use BOLA to execute an account takeover, elevate permissions, access someone’s personal information etc. In reality, the impact of BOLA is as variable as the capabilities of the application itself.
Remediation
Addressing BOLA eventually requires changes to the application code to handle incorrect permission check and adequately enforce object level authorization. In order to do so, however, one has to identify the issue first. This is where a major problem lies. Detection of BOLA vulnerabilities, both in development and in production, isn’t easy due to evolution of application architectures like micro-services and increased release-velocity. In many cases these issues can’t be fixed or can’t be fixed right away, it’s important to have an inline API security tool that can identify and block BOLA attacks.
How can AppSentinels help
AppSentinels full life-cycle API Security platform helps organization in identifying BOLA proactively as part of continuous API testing in the CI/CD pipelines.
AppSentinels run-time protection offers runtime inline protection for BOLA attacks.