BOLA, or Broken Object Level Authorisation, holds the top spot on the OWASP TOP 10 API vulnerabilities list. Object-Level Authorisation is ensuring that the correct folks can perform the right actions in an app, such as viewing, changing, or deleting specific things. In this brief article, we'll explore why BOLA is a concern, understand how it occurs, and discover methods to prevent it. 

Real BOLA Incidents

Interested to know real stories about BOLA attacks? They're quite eye-opening. 

  • Back in 2016, attackers used a BOLA vulnerability in the Central Bank of Russia's API to swipe 2 billion rubles. By tweaking the account ID of a transaction, they diverted funds to their account. 
  • Another incident in September 2019 revealed a major security flaw in Uber's API, exposing an endpoint and enabling unauthorised individuals to snatch sensitive data.

Why Authorisation Matters

Let's dive deeper into this concept with a relatable example. Imagine a playroom with a hidden treasure of special toys, each carefully stored in a unique box with a corresponding key. Each friend possesses their own key, granting them access only to their designated toy box. However, one mischievous friend discovers a cunning way to bypass the security measures and unlock other toy boxes, gaining access to toys that don't belong to them.This creates chaos in the playroom, prompting the keepers to act quickly. To safeguard the precious toys in the playroom above, the playroom keepers, must implement robust security measures. This includes ensuring each toy box has a unique and complex lock, regularly checking for lock tampering, and educating friends about respecting others belongings.

Broken Object Level Authorisation (BOLA)

Coming back to the API world now, assume that a customer, Alice adds several items to her shopping cart in an Ecommerce application. The system associates these items with her user ID (Say 123) to keep track of her selections.The system uses predictable sequential numbers for item IDs, making it easy to guess. An attacker, Rob, notices that he can manipulate the itemID parameter in the shopping cart requests. Rob, another authenticated customer, without being authorised as user 123, changes the item ID in the request to 457, a number he just guessed. The system does not properly check whether Rob has the right to modify the shopping cart for user 123. The system accepts Rob’s request, associating the expensive "Laptop" with Alice's cart. Alice, unsuspecting, proceeds to checkout. As a consequence Alice is billed for the unauthorised item added by Rob, and Rob gains access to sensitive information associated with the shopping cart, potentially leading to financial loss for Alice and a security breach for the online shopping platform. This scenario exemplifies a Broken Object Level Authorisation (BOLA) attack. It highlights the importance of robust authorisation mechanisms to safeguard sensitive data and prevent unauthorised access.

Broken Object Level Authorisation (BOLA) is a security vulnerability that occurs when an API provider does not have sufficient controls in place to enforce authorisation. This means that API users may be able to access sensitive resources that belong to other users. 

What to look for while testing an application against BOLA attacks

  • Business logic Vs Roles and Responsibilities: It's crucial to ensure that the API's implementation aligns with the intended business logic and respects the defined roles and responsibilities. Verify that the API does not grant unauthorised access based solely on a user's role or group membership. Instead, it should enforce granular access control based on specific permissions associated with the user and the intended action.
  • Default Permissions: Examine the default permissions granted to users when they are first created. Ensure that these permissions are as restrictive as possible and do not allow unauthorised access to sensitive resources.
  • Relationship between resources: Understanding the relationships between resources is essential for identifying potential BOLA vulnerabilities.Examine the relationship between resources to identify potential authorisation gaps. Verify that the API properly enforces access control based on these relationships. For instance, ensure that a user cannot modify the shopping cart of another user.
  • Predictable ID check: Predictable IDs, such as sequential IDs or IDs derived from personal information, can be easily guessed by attackers. When testing for BOLA vulnerabilities, scrutinise the use of IDs in API requests. Verify that the API does not rely on predictable IDs for authorisation. 
  • Error handling for invalid objectIds: Testing how the API handles invalid object IDs is very important. Verify that the API returns appropriate error messages and does not reveal sensitive information about the resource or the user. Additionally, ensure that error handling does not allow attackers to gain unauthorised access to other resources.
  • Session Management: Evaluate the API's session management mechanisms and ensure that sessions are properly invalidated when a user logs out or a session times out. Additionally, verify that session IDs are not easily predictable or vulnerable to session hijacking attacks.
  • Third-Party Integrations: If the API integrates with third-party systems, carefully review the authorisation mechanisms for these integrations. Ensure that the third-party applications are not granted excessive permissions and that access is properly scoped to the required resources.

In summary, it's crucial to understand and fix Broken Object Level Authorisation (BOLA) to keep our digital world safe. Just like we lock our doors to protect our homes, we need strong security for our online spaces. By using solid authorisation rules, staying aware of cyber threats, and promoting a culture of being proactive about security, we can make sure our online experiences are safer and more secure for everyone.