Broken Object Level Authorization (BOLA) is a vulnerability that occurs when an application fails to enforce access controls on sensitive data or resources. BOLA is important to understand and test for as it has been the most common and impactful vulnerability across API-based systems.
What is the impact of BOLA?
BOLA vulnerabilities are critical because they lead to unauthorized access to sensitive data. It’s a vulnerability that can single-handedly be the cause of an organization’s data breach.
Prefer to watch than read? Check out our video on BOLA!
A great example of a BOLA vulnerability can be found on OWASP’s API Top 10.
“An e-commerce platform for online stores (shops) provides a listing page with the revenue charts for their hosted shops. Inspecting the browser requests, an attacker can identify the API endpoints used as a data source for those charts and their pattern /shops/{shopName}/revenue_data.json. Using another API endpoint, the attacker can get the list of all hosted shop names. With a simple script to manipulate the names in the list, replacing {shopName} in the URL, the attacker gains access to the sales data of thousands of e-commerce stores.”
Read more examples here: OWASP API1: 2023 BOLA
Testing for BOLA
To test for BOLA we need to simulate unauthorized access attempts and identify any weaknesses in the access control mechanisms of an application. We should be thinking about:
- Identifying sensitive data and endpoints
- Understanding or mapping the access control policies
- Testing multiple user accounts with different privilege levels
- Attempting unauthorized access
- Monitoring logs, error messages and responses
One of the things that will help you be successful when testing for BOLA and many other vulnerabilities is being methodical and becoming accustomed to an application’s behaviour. This isn’t always possible with time constraints but whenever possible, trying to better understand what’s happening under the hood and noticing when the behaviour seems awkward will help you close in on potential vulnerabilities.
Defending against BOLA
There are many factors that can improve an application’s security, some of them address specific issues whilst others improve overall security.
- Implement proper access controls
- Validate and enforce authorization
- Prefer the use of random and unpredictable values as GUIDs
- Write tests for access controls
- Centralize access control management
- Good documentation
- Awareness and training