crAPI: Broken Object Level Authorization

June 13, 2024

crAPI: Broken Object Level Authorization

Amit Dubey

May 29, 2022 · 2 min read

In this blog, we will look at API 1:2019 Broken Object Level Authorization. Broken Object Level Authorization (BOLA) is also called Insecure Direct Object Reference (IDOR). BOLA is considered the most prevalent vulnerability in the OWASP API Top 10. When an application allows an attacker to access resources that they are not authorized to view, BOLA vulnerabilities occur if an API endpoint doesn’t have access controls at the object level. In such cases, User A can successfully request and access User B’s resources.


To request user resources, these API endpoints use some sort of value, such as names, numbers, or IDs. Here, the attacker will replace the ID of their own resource in the API call with the ID of another user’s resource. Hackers can access the given resource due to a lack of adequate authorization checks.

Attack Scenario:

crAPI is a vehicle management and service application. It contains a function that allows you to monitor your vehicle’s current location. This section will help us test whether we can gain unauthorized access to another user’s live vehicle location. The only precaution provided by the developer in the application to prevent IDOR is by using UUID to get a vehicle’s current location. Because UUIDs are challenging to predict, we can still achieve IDOR if one application leaks another user’s ID somewhere in response.

1. Authenticate to the application as a “Victim One” user and navigate to the community post.

authenticate application

2. Capture the request using the ZAP Proxy tool. Note that in the API response we received the other user’s vehicle UUID.

3. Now navigate back to the Dashboard and you’ll see that the live position of your own car is shown.

4. Now click on “Refresh Location” and capture the request using ZAP.

5. Now replace the vehicle’s UUID with “Victim Two.” Observe, that the API response fetches the location information of “Victim Two” vehicle.

6. The same can now be viewed on the application’s Dashboard.

Remediation:

1. In every action that uses a client input to access a record in the database, use an authorization mechanism to verify if the logged-in user has access to carry out the desired action.

2. Implement a good authorization mechanism that is based on user policies and a hierarchical structure.

3. Use random and unpredictable values as IDs.

4. Use the OWASP cheatsheet for IDOR.

We are already detecting some amazing Broken Object Level Authorization attacks using LEVO. Sign-up for free and try it yourself.

Broken Object Level Authorization

In our next blog post, we will learn about Mass Assignment issues in crAPI.

Stay Tuned.

Best Regards,

Amit

elliptical light
  • Runtime Agnostic
  • Cloud Agnostic
  • Programming Language Agnostic

Subscribe for experts insights on application security.

Oops! Something went wrong while submitting the form.