Broken Object Level Authorization (BOLA) is a vulnerability that occurs when an application fails to enforce access controls on sensitive data or resources. BOLA is important to understand and test for as it has been the most common and impactful vulnerability across API-based systems.
What is the Impact of BOLA?
BOLA vulnerabilities are critical because they lead to unauthorized access to sensitive data. It’s a vulnerability that can single-handedly be the cause of an organization’s data breach.
Prefer to watch than read? Check out our video on BOLA!
A great example of a BOLA vulnerability can be found on OWASP’s API Top 10.
“An e-commerce platform for online stores (shops) provides a listing page with the revenue charts for their hosted shops. Inspecting the browser requests, an attacker can identify the API endpoints used as a data source for those charts and their pattern /shops/{shopName}/revenue_data.json. Using another API endpoint, the attacker can get the list of all hosted shop names. With a simple script to manipulate the names in the list, replacing {shopName} in the URL, the attacker gains access to the sales data of thousands of e-commerce stores.”
Testing for BOLA
To test for BOLA we need to simulate unauthorized access attempts and identify any weaknesses in the access control mechanisms of an application. We should be thinking about:
- Identifying sensitive data and endpoints
- Understanding or mapping the access control policies
- Testing multiple user accounts with different privilege levels
- Attempting unauthorized access
- Monitoring logs, error messages and responses
One of the things that will help you be successful when testing for BOLA and many other vulnerabilities is being methodical and becoming accustomed to an application’s behavior. This isn’t always possible with time constraints but whenever possible, trying to better understand what’s happening under the hood and noticing when the behavior seems awkward will help you close in on potential vulnerabilities.
Defending Against BOLA
There are many factors that can improve an application’s security, some of them address specific issues whilst others improve overall security.
- Implement proper access controls
- Validate and enforce authorization
- Prefer the use of random and unpredictable values as GUIDs
- Write tests for access controls
- Centralize access control management
- Good documentation
- Awareness and training
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity. He created many of the web hacking courses in TCM Security Academy, as well as the PWPA and PWPP certifications.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.