API-01 Broken Object Level Authorization (2024)

FAQs

What is a broken object level authorization? ›

Broken object level authorization is a security vulnerability that occurs when an application or application programming interface (API) provides access to data objects based on the user's role, but fails to verify if the user is authorized to access those specific data objects.

Broken Object Level Authorization (BOLA), formerly known as Insecure Direct Object Reference (IDOR), consistently ranks as a top API security threat. In essence, it occurs when an API lacks strict checks to ensure a user is only accessing data or resources for which they have legitimate permissions.

Broken Object Level Authorization occurs when an application fails to properly restrict access to specific objects. To put it simply, if an application allows a user to manipulate the object identifier (ID) in a request and still returns information from a different object, it indicates a BOLA vulnerability.

Broken Authentication is a critical vulnerability that can compromise the security of user accounts and API systems. By understanding the nature of this vulnerability and implementing best practices for secure authentication, developers can significantly reduce the risk of unauthorized access and protect user data.

The first is role-based access control that restricts access based on roles and permissions. Secondly, task-based authorizations are used to specify access rights depending on tasks. Lastly, multi-layered security models define authorizations based on security levels (e.g., public, secret, confidential).

Broken authentication attacks aim to take over one or more accounts giving the attacker the same privileges as the attacked user. Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities.

At its core, BFLA arises from the absence of robust and function-specific authorization controls embedded directly into the API's design.

Best Practices for Authorization in APIs

Limit Access: Limit access to the API to only the resources that users or clients need to perform their tasks. It reduces the risk of data loss and security breaches. Use HTTPS: Use HTTPS to encrypt data transmitted between the API and the client.

Impact of Broken Authentication

Attackers can also manipulate or delete user data, impersonate legitimate users, perform fraudulent transactions, or even escalate their privileges within the application.

Broken Object Level Authorization is a type of access control vulnerability that allows an attacker to perform actions on a resource that they do not own or have permission to access. APIs, whether they are RESTful or GraphQL, often follow the CRUD (Create, Read, Update, Delete) model for resource manipulation.

What is an example of a broken access control vulnerability? ›

Common Broken Access Control Attack Techniques

For instance, an e-commerce application might use a user ID parameter in the URL to display a specific user's shopping cart. By modifying this parameter, an attacker could potentially view another user's cart contents.

In both cases, attackers gain unauthorized access to resources, data, etc., and/or can engage in account takeovers, privilege escalation, or other malicious activities. The main point of difference is that BFLA targets function while BOLA targets objects that the APIs interact with.

Credential stuffing is another common example of a broken authentication attack. It occurs when cybercriminals obtain login credentials through data breaches and then use these same login and password combinations to access unrelated accounts at separate services or organizations.

In short, broken authentication and session management is a major security risk. It can allow a hacker to steal a user's sensitive data or forge session data, such as cookies, to gain unauthorized access to websites.

If authentication is the process of verifying the identity of a user or entity requesting access to a system or application, broken authentication occurs when an attacker exploits a vulnerability in this process to gain unauthorized access.

Types of Broken Access Control Vulnerabilities

This allows attackers to manipulate these identifiers to access unauthorized data or perform actions. For example, if an e-commerce site uses order IDs directly in URLs without proper authorization checks, an attacker could potentially view or modify other users' orders.

An authorization object consists of up to 10 authorization fields. Combinations of authorization fields, which represent data and activities, are used to grant and check authorizations. Authorization objects are grouped together in authorization object classes. They are edited in transaction SU21.

Object-level security (OLS) enables model authors to secure specific tables or columns from report viewers. For example, a column that includes personal data can be restricted so that only certain viewers can see and interact with it. In addition, you can also restrict object names and metadata.