Create 02-API_Broken_Object_Level_Authorization.md #1190
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add API BOLA Testing
|
Thanks, will try to review this week. Hit me up if you haven't heard by Friday morning 😉 |
kingthorin
reviewed
Mar 24, 2025
...plication_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization_(BOLA).md
Outdated
Show resolved
Hide resolved
...plication_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization_(BOLA).md
Outdated
Show resolved
Hide resolved
...plication_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization_(BOLA).md
Outdated
Show resolved
Hide resolved
...plication_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization_(BOLA).md
Outdated
Show resolved
Hide resolved
...plication_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization_(BOLA).md
Outdated
Show resolved
Hide resolved
...plication_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization_(BOLA).md
Outdated
Show resolved
Hide resolved
...plication_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization_(BOLA).md
Outdated
Show resolved
Hide resolved
...plication_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization_(BOLA).md
Outdated
Show resolved
Hide resolved
Comment on lines
75
to
85
| ## Remediations | ||
|
|
||
| To prevent BOLA, implement the following mitigations: | ||
|
|
||
| **Object Ownership Checks**: Ensure that object-level authorization checks are performed for every API request. Always verify that the user making the request is authorized to access the requested object. | ||
|
|
||
| **Role-Based Access Control (RBAC)**: Implement RBAC policies that define which roles can access or modify specific objects. | ||
|
|
||
| **Least Privilege Principle**: Apply the principle of least privilege to ensure that users can only access the minimum set of objects they need for their role. | ||
|
|
||
| **Use UUIDs or Non-Sequential IDs**: Prefer non-predictable, non-sequential object identifiers (e.g., **UUIDs** instead of simple integers) to make enumeration and brute-force attacks harder. |
There was a problem hiding this comment.
Have a look at the template and make sure the heading matches. Use bullets :)
...plication_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization_(BOLA).md
Outdated
Show resolved
Hide resolved
…to 02-API_Broken_Object_Level_Authorization.md
fixed small lint issue
This comment was marked as resolved.
This comment was marked as resolved.
kingthorin
reviewed
Mar 28, 2025
...-Web_Application_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization.md
Outdated
Show resolved
Hide resolved
…API_Broken_Object_Level_Authorization.md
|
@irgoncalves could you apply these changes/additions? I'm unable to for some reason: diff --git a/document/4-Web_Application_Security_Testing/12-API_Testing/README.md b/document/4-Web_Application_Security_Testing/12-API_Testing/README.md
--- document/4-Web_Application_Security_Testing/12-API_Testing/README.md
+++ document/4-Web_Application_Security_Testing/12-API_Testing/README.md
@@ -3,5 +3,7 @@
4.12.0 [API Testing Overview](00-API_Testing_Overview.md)
4.12.1 [API Reconnaissance](01-API_Reconnaissance.md)
+4.12.2 [API Reconnaissance](02-API_Broken_Object_Level_Authorization)
+
4.12.99 [Testing GraphQL](99-Testing_GraphQL.md)
diff --git a/document/README.md b/document/README.md
--- document/README.md
+++ document/README.md
@@ -313,8 +313,10 @@
#### 4.12.0 [API Testing Overview](4-Web_Application_Security_Testing/12-API_Testing/00-API_Testing_Overview.md)
#### 4.12.1 [API Reconnaissance](4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance.md)
+#### 4.12.2 [API Reconnaissance](4-Web_Application_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization)
+
#### 4.12.99 [Testing GraphQL](4-Web_Application_Security_Testing/12-API_Testing/99-Testing_GraphQL.md)
## 5. [Reporting](5-Reporting/README.md)
|
kingthorin
reviewed
Mar 28, 2025
...-Web_Application_Security_Testing/12-API_Testing/02-API_Broken_Object_Level_Authorization.md
Outdated
Show resolved
Hide resolved
…API_Broken_Object_Level_Authorization.md
kingthorin
approved these changes
Mar 29, 2025
|
Thank you!! |
|
Don’t forget to fire in a PR adding yourself to the credits in section 1. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add API BOLA Testing
This PR is part of issue #5.
What did this PR accomplish?