2. Capture the request using the ZAP Proxy tool. Note that in the API response we received the other user’s vehicle UUID.
3. Now navigate back to the Dashboard and you’ll see that the live position of your own car is shown.
4. Now click on “Refresh Location” and capture the request using ZAP.
5. Now replace the vehicle’s UUID with “Victim Two.” Observe, that the API response fetches the location information of “Victim Two” vehicle.
6. The same can now be viewed on the application’s Dashboard.
Remediation:
1. In every action that uses a client input to access a record in the database, use an authorization mechanism to verify if the logged-in user has access to carry out the desired action.
2. Implement a good authorization mechanism that is based on user policies and a hierarchical structure.
3. Use random and unpredictable values as IDs.
4. Use the OWASP cheatsheet for IDOR.
We are already detecting some amazing Broken Object Level Authorization attacks using LEVO. Sign-up for free and try it yourself.
In our next blog post, we will learn about Mass Assignment issues in crAPI.
Stay Tuned.
Best Regards,
Amit
