Broken Object Level Authorization [API SECURITY — 0x1]
Hi, My name is Hashar Mujahid. I am a security researcher and a penetration testing student. This is the first blog of the API SECURITY series where we will learn about some common security vulnerabilities that APIs are prone to.
We can not understand object-level authorization until we have a solid understanding of the object.
WHAT IS AN OBJECT?
An object is a piece of code that process and stores some information. This is similar to the object in OOP (object-oriented programming). In lamens terms, the object can be an id of the user, email, username, account, personal notes, etc. An object can be any data within an application.
WHAT IS AUTHORIZATION ON THE OBJECT?
Authorization is the process of granting access to specific objects or data within an application based on a user’s privilege level. Authorization is implemented to maintain the confidentiality, integrity, and availability of the data or object.
The main purpose is to make sure the object is accessed by the people it is intended for. Like some functionalities and information are hidden in web applications and APIs and only the admin can access them this is done by implementing checks on the authorization level of the user while accessing them.
Now we have some understanding of the Object and Authorization implemented on it Let’s discuss what is broken object-level authorization.
WHAT IS BROKEN OBJECT-LEVEL AUTHORIZATION?
Broken Object-Level Authorization is a vulnerability in which an unauthorized person is able to retrieve, modify and delete confidential information from the API.
Let’s take an example:
Suppose an attacker signup on to an API provider. When he retrieved his account information he saw an interesting parameter.
http://supersecureapi/api/v2/getuser/1223
He made an assumption that the number at the end is his user-id so he tried to enter 1 instead of his id.
http://supersecureapi/api/v2/getuser/1
and he was able to retire all the information about the admin’s account.
This is what BOLA is.
PRACTICAL LAB:
To demonstrate this vulnerability we will use a lab environment called “vapi”. Download the swagger.json file and import it in postman. You should have an interface like this.
Let’s test the API1 for BOLA.
We can see there are 3 requests which perform these functionalities Signup, Get info, and Update. Let’s signup.
To signup, we need to set the body parameters that are required.
We can see our new user is created and we got his unique id. Let’s now fetch this user’s details by using get user request.
We can we our information. But let's try to change the id parameter and see if we can retrieve information about other users.
We can see we were able to retrieve information about other users.
This is what Broken Object-Level Authorization. Hope you have understood what BOLA is. Follow me for more upcoming blogs about API security vulnerabilities.
Till then Happy Hacking ❤.
