|
| 1 | +# API Broken Object Level Authorization |
| 2 | + |
| 3 | +|ID | |
| 4 | +|------------| |
| 5 | +|WSTG-APIT-02| |
| 6 | + |
| 7 | +## Summary |
| 8 | + |
| 9 | +Broken Object Level Authorization (BOLA) occurs when an API does not properly enforce authorization checks for each object accessed by the client. Attackers can manipulate object identifiers in API requests (such as IDs, GUIDs, or tokens) to access or modify resources they are not authorized to. This vulnerability is critical in APIs due to their direct access to underlying objects and the prevalence of APIs in modern applications. |
| 10 | + |
| 11 | +Exploiting BOLA can lead to unauthorized access to sensitive data, user impersonation, horizontal privilege escalation (accessing other users' resources), and vertical privilege escalation (gaining unauthorized admin-level access). |
| 12 | + |
| 13 | +## Test Objectives |
| 14 | + |
| 15 | +- The objective of this test is to identify whether the API enforces proper **object-level authorization** checks, ensuring that users can only access and manipulate objects they are authorized to interact with. |
| 16 | + |
| 17 | +## How to Test |
| 18 | + |
| 19 | +### Understand API Endpoints and Object References |
| 20 | + |
| 21 | +Review API documentation (e.g. OpenAPI specification), traffic, or use an interception proxy (e.g., **Burp Suite**, **ZAP**) to identify endpoints that accept object identifiers of interest. These could be in the form of **IDs**, **UUIDs**, or other references. |
| 22 | + |
| 23 | +Examples: |
| 24 | + |
| 25 | +- `GET /api/users/{user_id}` |
| 26 | +- `GET /api/orders/{order_id}` |
| 27 | +- `POST /graphql`\ |
| 28 | + `query: {user(id: "123") }` |
| 29 | + |
| 30 | +With the knowledge gained in the previous step, review and collect third-party object identifiers (e.g. user IDs, orders IDs etc) that can be used subsequently in the object identifiers manipulation. |
| 31 | + |
| 32 | +Additionaly, generate a list of potential object identifiers for brute-force. For example, if an API is retrieving a purchase order from an authenticated user, generate various purchase order IDs for testing. |
| 33 | + |
| 34 | +### Manipulate Object Identifiers in API Requests |
| 35 | + |
| 36 | +With the goal to determine if users can access or modify objects they do not own by altering object identifiers in API request, change the object identifier (e.g., user ID, order ID) in the URL or request body. |
| 37 | + |
| 38 | +Example: Modify a request like `GET /api/users/123/profile` (where 123 is the current user ID) to `GET /api/users/124/profile` (where 124 is another user's ID). |
| 39 | + |
| 40 | +Depending on the application context, utilize two different accounts to perform the tests. With an account A, create resources that exclusively belongs to that account (e.g. purchase order) and with an account B, try to access the resource from account A (e.g. purchase order). |
| 41 | + |
| 42 | +### Test Object-Level Access with Different HTTP Methods |
| 43 | + |
| 44 | +Test various **HTTP methods** for BOLA vulnerabilities: |
| 45 | + |
| 46 | +- **GET**: Try accessing unauthorized objects by manipulating the object ID in the request. |
| 47 | +- **POST/PUT/PATCH**: Attempt to create or modify objects that belong to other users. |
| 48 | +- **DELETE**: Try to delete an object owned by another user. |
| 49 | + |
| 50 | +### Test BOLA in GraphQL APIs |
| 51 | + |
| 52 | +For **GraphQL APIs**, send a query with a modified object ID in the query parameters (see [Testing GraphQL](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL)): |
| 53 | + |
| 54 | +Example: `query { user(id: "124") { name, email } }`. |
| 55 | + |
| 56 | +### Test for Bulk Object Access |
| 57 | + |
| 58 | +Test if the API allows unauthorized **bulk access** to objects. This could happen in endpoints that return lists of objects. |
| 59 | + |
| 60 | +Example: `GET /api/users` returns data for all users instead of only the authenticated user’s data. |
| 61 | + |
| 62 | +## Indicators of BOLA |
| 63 | + |
| 64 | +- **Successful exploitation**: If modifying an object ID in the request returns data or allows actions on objects that belong to other users, the API is vulnerable to BOLA. |
| 65 | +- **Error responses**: Properly secured APIs in general would return `403 Forbidden` or `401 Unauthorized` for unauthorized object access. A `200 OK` response for another user's object indicates BOLA. |
| 66 | +- **Inconsistent responses**: If some endpoints enforce authorization and others do not, it points to incomplete or inconsistent security controls. |
| 67 | + |
| 68 | +## Remediation |
| 69 | + |
| 70 | +- **Object Ownership Checks**: Ensure that object-level authorization checks are performed for every API request. Always verify that the user making the request is authorized to access the requested object. |
| 71 | +- **Role-Based Access Control (RBAC)**: Implement RBAC policies that define which roles can access or modify specific objects. |
| 72 | +- **Least Privilege Principle**: Apply the principle of least privilege to ensure that users can only access the minimum set of objects they need for their role. |
| 73 | +- **Use UUIDs or Non-Sequential IDs**: Prefer non-predictable, non-sequential object identifiers (e.g., **UUIDs** instead of simple integers) to make enumeration and brute-force attacks harder. |
| 74 | + |
| 75 | +## Tools |
| 76 | + |
| 77 | +- **ZAP**: Automated scanners or manual proxy tools can help test object references in API requests. |
| 78 | +- **Burp Suite**: Use the **Repeater** or **Intruder** tools to manipulate object IDs and send multiple requests to test access control. |
| 79 | +- **Postman**: Send requests with altered object IDs and observe the responses. |
| 80 | +- **Fuzzing Tools**: Use fuzzers to brute-force object IDs and check for unauthorized access. |
| 81 | + |
| 82 | +## References |
| 83 | + |
| 84 | +- [OWASP API Security Top 10: BOLA](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/) |
| 85 | +- [OWASP Testing Guide: Testing for Insecure Direct Object References (IDOR)](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References) |
| 86 | +- [OWASP Testing Guide: Testing for GraphQL](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL) |
0 commit comments