StackHawk
Hamburger Icon

Understanding and Protecting
Against API1:
Broken Object Level Authorization

stackhawk

StackHawk|March 14, 2024

Learn about OWASP API1 and the risks associated with examples and best practices to prevent Broken Object Level Authorization.

Imagine a scenario where a simple change in a URL grants an attacker access to your most sensitive data or even control over physical systems. That's the potential danger of broken Object-Level Authorization (BOLA), a widespread vulnerability plaguing APIs. BOLA can expose your financial records, medical information, or any data your application handles to malicious actors.

Broken Object Level Authorization occurs when an API fails to implement strict controls around who can access what. It's like leaving your house unlocked and hoping nobody with bad intentions walks in. In the world of APIs, attackers can manipulate object identifiers (like usernames, order numbers, or document IDs) to gain unauthorized access to resources they shouldn't have.

In this blog, we'll uncover the nature of this vulnerability and explore real-life examples of the damage it can cause. Most importantly, we'll arm you with the knowledge and strategies you need to safeguard your APIs, keeping your data and systems secure.

What is Broken Object Level Authorization (BOLA)?

Broken Object Level Authorization (BOLA), formerly known as Insecure Direct Object Reference (IDOR), consistently ranks as a top API security threat. In essence, it occurs when an API lacks strict checks to ensure a user is only accessing data or resources for which they have legitimate permissions.

Object-level authorization refers to an application's controls determining which users can perform actions on specific data objects. For instance, a healthcare app should ensure that patients can only view their medical records, not those belonging to others. The term "broken" in BOLA means that these authorization controls are either missing or flawed. This might manifest as an API relying too heavily on easily predictable object identifiers (such as customer IDs) or failing to validate if the user making the request has the proper permissions for the action.

BOLA attacks usually follow a pattern. First, the attacker analyzes API requests and responses, looking for patterns in how objects are referenced (e.g., /users/{userID} or /orders/{orderID}). Then, they experiment by changing the value of those object identifiers in their requests, attempting to access data belonging to other users or resources. If the API doesn't enforce proper authorization, the attacker could successfully view, edit, or even delete sensitive data. In the most critical cases, they might gain complete control over objects they should not be able to manipulate.

BOLA is widespread and dangerous due to its ease of exploitation (often requiring minimal technical skill on the attacker's part) and the difficulty in detecting such vulnerabilities with standard security scanners. The impact of a successful BOLA exploit can range from privacy breaches to full-on account compromises, financial fraud, or even the sabotage of systems controlled through the API.

What is the difference between BOLA and Insecure Direct Object Reference (IDOR)?

You may have encountered both "BOLA" and "IDOR" used to describe this type of API vulnerability. While there's significant overlap, there's a subtle but essential distinction. Insecure Direct Object Reference (IDOR) is the older term, while Broken Object Level Authorization (BOLA) is the more current name for this widespread security flaw.

IDOR focuses on APIs that expose internal object references or identifiers an attacker can easily manipulate. Think of a URL structure like /api/customers/{customerID} where an attacker might change the customerID to try accessing other users' data. The shift to the term BOLA emphasizes that the core problem isn't simply the type of reference used but a deeper issue: broken authorization logic. This could manifest in several ways, including the reliance on predictable object identifiers or failure to rigorously validate that the user making the request has ownership or legitimate permissions to interact with the targeted object.

To sum up, all IDOR vulnerabilities are examples of BOLA. However, not all BOLA vulnerabilities necessarily involve directly exposed and easily manipulated object references. The heart of the matter always lies in a failure to implement object-level authorization checks correctly within the API.

What is the root cause of BOLA?

BOLA vulnerabilities stem from flawed development practices prioritizing ease of implementation over robust authorization controls within API logic. Let's dissect the primary factors that lead to this issue:

Over-reliance on Object Identifiers

Directly referencing objects in API endpoints and requests using sequential numerical IDs, predictable strings, or other easily discernible patterns invite exploitation. Consider a URL like /api/documents/{documentID}. An attacker can easily substitute values for {documentid} to access documents they shouldn't have access to. While convenient for developers, using these references as the sole authorization factor is a significant security pitfall.

Lack of Ownership and Permission Verification

A fundamental misstep is failing to consistently validate that the user attempting an action has legitimate ownership of the targeted object or the necessary permissions to perform the action. APIs must verify these rights on a per-request basis.

Blind Trust in User Input

Any data a user provides, including object identifiers, must be treated with suspicion. Thorough input validation and sanitization are essential to prevent attackers from crafting malicious values that could subvert API logic. Failing to do so leaves the system vulnerable to unexpected manipulations that authorization checks might miss.

Insufficient Focus on Authorization

In pressured development environments, an API's core functionality can sometimes overshadow security considerations. This could lead to inconsistent authorization logic, with some endpoints rigorously protected and others left vulnerable. Worse, authorization might be omitted altogether from certain API operations.

The Fallacy of Obscurity

Developers might wrongly believe that using hard-to-guess object identifiers (like long UUIDs) is sufficient protection. However, determined attackers will find ways to discover or predict these references, rendering a false sense of security.

In essence, BOLA boils down to a failure to explicitly and meticulously implement object-level authorization checks within the API. Convenience and assumptions of obscurity should never replace robust authorization mechanisms.

What is an Example of BOLA?

Let's explore more scenarios to illustrate how BOLA can appear in different applications and understand the common pitfalls leading to these vulnerable patterns. Here, we will look at three scenarios covering various ways this vulnerability could manifest.

Scenario #1: Leaky Social Media Profiles

Imagine that a social media platform allows users to update their profile information with an API endpoint like this:

PATCH /api/users/profile 
{ 
   "userID": 12345,
   "displayName": "My New Name",
   ... // other profile fields
} 

If the API blindly trusts the provided user ID and doesn't verify it against the ID of the currently logged-in user, an attacker could modify anyone's profile. By allowing attackers to access the API without verifying that they only have access to change their specific profile, the social media platform could face reputational damage, spread misinformation, or even facilitate social engineering attacks. To prevent this, the API needs a mechanism to tie the logged-in user's session to their legitimate ID and ensure that submitted objects belong to them.

Scenario #2: Medical Record Tampering

Next, let's look at a healthcare system that has an API to retrieve patient records. For example, the API may look like this:

GET /api/patients/{patientID}/records

Confidentiality is compromised if any authenticated user (regardless of role) can retrieve any patient's records by changing the patient ID. So even though the API checks to see if the user is authenticated, it may not check to see if the user should have access to that patient's docs. The consequence of this could include a breach of sensitive medical information, and if the endpoint allows for data to be changed (such as a POST, PUT, or PATCH), there is also the potential for incorrect or malicious diagnoses and unauthorized record changes. To prevent this, strict role-based access control must be integrated into the API, ensuring users only access and change the data they legitimately need.

Scenario #3: Unintended Invoice Manipulation

Lastly, let's imagine a B2B invoicing system where there is an API to mark invoices as paid:

POST /api/invoices/{invoiceID}/markPaid

Attackers could disrupt cash flows if the API doesn't check the relationship between the logged-in user's company and the invoice ID. If invoice numbers are sequential, this could be made even more accessible. The potential consequences of this include having invoices that have already been paid be changed to unpaid invoices, which could harm business relationships. Falsely marking invoices as paid could lead to financial losses and revenue loss. To prevent this, the API must associate invoices with specific companies/accounts and verify that the user making changes is authorized for those entities.

Based on these examples, it's clear that BOLA is about failing to ask and enforce the question, "Is this user allowed to do this to this specific object?". Security and preventing BOLA attacks shouldn't be an afterthought; authentication and authorization should be baked into every API endpoint's design.

How to Protect Against BOLA

Although we've briefly covered how to prevent BOLA in the examples above, Let's dig further into the specifics. At the highest level, API development must adopt a more integrated approach toward authorization to protect against Broken Object Level Authorization (BOLA) threats. This approach ensures that authorization is not merely an auxiliary feature but a foundational aspect of API security. Below, we explore essential strategies that developers and organizations can adopt to fortify their APIs against BOLA vulnerabilities:

Rethinking Object Identifiers

Firstly, it's crucial not to depend solely on object identifiers like sequential IDs or UUIDs. While these identifiers might seem secure, they can be easily manipulated by attackers skilled in pattern recognition, leading to unauthorized access to sensitive resources. To counter this, implementing a comprehensive session management system is advisable. Such a system, complemented by user roles and permissions, enables fine-grained access control. Additionally, associating object identifiers with authenticated user sessions and their permissions can significantly bolster the legitimacy of access requests.

Strict Authorization Checks

Secondly, enforcing proper access control and strict authorization checks at every API endpoint is non-negotiable. These checks should verify the requestor's identity and confirm their ownership or permission levels regarding the object or action they are trying to initiate. This dual-layer verification is a barrier against unauthorized users and access and should help prevent BOLA.

Importance of Input Validation and Sanitization

Thirdly, the importance of input validation and sanitization cannot be overstated. Malicious users often craft inputs designed to exploit vulnerabilities in API authorization logic. The risk of injection attacks is heavily reduced by ensuring that object identifiers adhere to expected formats and sanitizing inputs to reject or escape special characters.

Principle of Least Privilege

As with any system with sensitive data, the principle of least privilege offers another layer of defense. This principle helps to limit user and system component permissions to the bare minimum necessary for their roles or tasks. This approach minimizes the potential impact of a BOLA breach, as compromised accounts are restricted in their actions.

Leveraging API Gateways

Lastly, the adoption of API gateways can significantly enhance API security. API gateways facilitate the implementation of sophisticated authorization mechanisms by serving as centralized points for policy enforcement and security controls. This strengthens security and promotes consistency across an organization's entire API ecosystem.

Overall, protecting against BOLA requires a comprehensive and proactive approach that integrates robust authorization measures into the very fabric of API development. By adopting these strategies, developers, and organizations can significantly mitigate the risk of BOLA vulnerabilities and safeguard their digital assets. To see how to do some of the above in an end-to-end example, check out our guide on preventing BOLA in Node.

How StackHawk Can Help Detect and Prevent BOLA

When it comes to traditional DAST solutions, BOLA detection was usually not on the menu. Luckily, StackHawk goes beyond traditional DAST solutions by actively testing for BOLA (Broken Object Level Authorization) and IDOR vulnerabilities.

StackHawk is a modern, powerful DAST tool designed for developers to integrate application security testing seamlessly into their software development lifecycle. It is not just another security tool; it's a developer-first platform emphasizing automation, ease of use, and integration into existing development workflows.

At its core, StackHawk is built around empowering developers to take the lead in application security. It provides a suite of tools that make it easy to find, understand, and fix security vulnerabilities before they make it to production. One of the critical components of StackHawk is HawkScan, a dynamic application security testing (DAST) tool that scans running applications and APIs to identify security vulnerabilities.

With StackHawk, developers and security teams can:

  • Automate Security Testing: Integrate security testing into CI/CD pipelines, ensuring every build is automatically scanned for vulnerabilities.

  • Identify and Fix Vulnerabilities: Receive detailed, actionable information about each vulnerability, including where it is in the code and how to fix it.

  • Test in All Environments: Use StackHawk in various environments, including development, staging, and production, to catch security issues at any stage of the development process.

  • Customize Scans: Tailor scanning configurations to suit specific applications and environments, ensuring more relevant and accurate results.

By focusing on a developer-first approach to security testing and integrating smoothly into existing dev tools and practices, StackHawk demystifies application security, making it a more approachable and manageable part of the software development lifecycle. Next, we will look at exactly how simple it is to configure StackHawk to begin testing your applications for potential BOLA vulnerabilities.

Enabling BOLA Detection in HawkScan

Enabling BOLA (and IDOR) detection in StackHawk is easy. Two ways to do this are using the "OpenAPI - Experimental" policy or customizing an existing policy. The "OpenAPI - Experimental" policy allows users to scan for the vulnerabilities outlined in the OWASP API Security Top 10.

To set HawkScan up with the "OpenAPI - Experimental" policy, you will log into StackHawk, go to the Applications screen, and click on the settings link for your application.

Understanding and Protecting Against API1: Broken Object Level Authorization
 image

Next, on the Settings screen, under HawkScan Settings, click the Applied Policy dropdown and select the "OpenAPI - Experimental" policy.

Understanding and Protecting Against API1: Broken Object Level Authorization image

At this point, you can then run HawkScan and begin detecting potential BOLA vulnerabilities. Of course, another way to do this is to simply customize an existing policy to scan for BOLA/IDOR vulnerabilities. To show how this can be done, we can navigate to the same HawkScan Settings section that we looked at above. From here, we will select the "OpenAPI/REST API" policy from the Applied Policy dropdown.

Understanding and Protecting Against API1: Broken Object Level Authorization
 image

Next, click the Edit Policy button right beside the dropdown.

Understanding and Protecting Against API1: Broken Object Level Authorization
 image

On the next screen, under the Plugins and Tests section, click on the BOLA entry to enable HawkScan to execute tests for potential BOLA vulnerabilities.

Understanding and Protecting Against API1: Broken Object Level Authorization
 image

If you also want to enable IDOR testing, you can click on the Passive Scan Plugins tab and then select IDOR.

Understanding and Protecting Against API1: Broken Object Level Authorization image

Regardless of how you have enabled BOLA testing in HawkScan, your tests will include testing for potential BOLA vulnerabilities (and IDOR, if you enabled it)!

Conclusion

Understanding BOLA is a crucial first step in securing your APIs, but implementing robust authorization mechanisms in the real world can be complex. The key lies in empowering your developers with the tools and knowledge they need to build security into the core of your API design.

StackHawk goes beyond simply identifying potential BOLA vulnerabilities in your running application. It bridges the gap between detection and remediation by providing clear explanations, actionable guidance, and seamless integration into your existing development workflows. This collaborative approach makes API security less intimidating and helps developers instill secure coding practices.

By proactively using StackHawk to detect and address BOLA vulnerabilities, you can significantly minimize the risks of this common API threat. Sign up for a 14-day free trial of StackHawk today to experience the difference StackHawk makes in detecting BOLA vulnerabilities and other API security issues outlined in the OWASP API Top 10.


StackHawk  |  March 14, 2024

Read More

Understanding and Protecting Against OWASP API10: Unsafe Consumption of APIs

Understanding and ProtectingAgainst OWASP API10: UnsafeConsumption of APIs

Understanding The 2023 OWASP Top 10 API Security Risks

Understanding The 2023 OWASP Top 10 APISecurity Risks

 API Security Best Practices: The Ultimate Guide

API SecurityBest Practices: The Ultimate Guide