- Notifications
You must be signed in to change notification settings - Fork1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Create 02-API_Broken_Object_Level_Authorization_(BOLA).md#1190
base:master
Are you sure you want to change the base?
Conversation
Add API BOLA Testing
Thanks, will try to review this week. Hit me up if you haven't heard by Friday morning 😉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I'd suggest dropping the acronym and brackets from the file name, that just makes things harder to link and work with.
| @@ -0,0 +1,98 @@ | |||
| # Testing for Broken Object Level Authorization (BOLA) | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Here too
| Example:\ | ||
| `GET /api/users/{user_id}`\ | ||
| `GET /api/orders/{order_id}`\ | ||
| `POST /graphql`\ | ||
| `query: {user(id: "123") }` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Make this examples plural, and a bulleted list?
| ### Understand API Endpoints and Object References | ||
| Review API documentation (e.g. OpenAPI specification), traffic, or use an interception proxy (e.g., **Burp Suite**, **OWASP ZAP**) to identify endpoints that accept object identifiers of interest. These could be in the form of **IDs**, **UUIDs**, or other references. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
ZAP left OWASP well over a year ago.
| With the knowledge gained in the previous step, review and collect third-party object identifiers (e.g. user IDs, orders IDs etc) that can be used subsequently in the object identifiers manipulation. | ||
| Additionaly, generate a list of potential object identifiers IDs for brute-force. For example, if an API is retrieving a purchase order from an authenticated user, generate various purchase order IDs for testing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
"identifiers IDs" is essentially the same word twice 😉
| Example: | ||
| `query { user(id: "124") { name, email } }`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Can be a single line.
| Example: | ||
| `GET /api/users` returns data for all users instead of only the authenticated user’s data. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
one line
| **Successful exploitation**: If modifying an object ID in the request returns data or allows actions on objects that belong to other users, the API is vulnerable to BOLA. | ||
| **Error responses**: Properly secured APIs in general would return `403 Forbidden` or `401 Unauthorized` for unauthorized object access. A `200 OK` response for another user's object indicates BOLA. | ||
| **Inconsistent responses**: If some endpoints enforce authorization and others do not, it points to incomplete or inconsistent security controls. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Bullets
| ## Remediations | ||
| To prevent BOLA, implement the following mitigations: | ||
| **Object Ownership Checks**: Ensure that object-level authorization checks are performed for every API request. Always verify that the user making the request is authorized to access the requested object. | ||
| **Role-Based Access Control (RBAC)**: Implement RBAC policies that define which roles can access or modify specific objects. | ||
| **Least Privilege Principle**: Apply the principle of least privilege to ensure that users can only access the minimum set of objects they need for their role. | ||
| **Use UUIDs or Non-Sequential IDs**: Prefer non-predictable, non-sequential object identifiers (e.g., **UUIDs** instead of simple integers) to make enumeration and brute-force attacks harder. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Have a look at the template and make sure the heading matches. Use bullets :)
| ## Tools | ||
| - **OWASP ZAP**: Automated scanners or manual proxy tools can help test object references in API requests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Just ZAP
Add API BOLA Testing
This PR covers issue#5 .
What did this PR accomplish?