Decoding and Defending Against Broken Object Level Authorization (BOLA)

Broken Object Level Authorization (BOLA) is a recurring vulnerability in the OWASP API Top 10, representing a significant, yet common API security risk. This type of attack is essentially an access control issue, where users are able to perform actions on resources they are not authorized to access, according to the specified access control model.

It’s important to note that BOLA is not the sole access control issue identified by the OWASP API Top 10; there are three distinct access control issues categorized at different levels. BOLA specifically pertains to the individual object level.

Examples of this include creating a defamatory statement on a social media website using another user’s account, deleting a video on a video sharing website without being the uploader, removing a file from a cloud storage service linked to another user’s account, or altering an order for another user in an online shop.

But why is BOLA considered a critical API security risk?

APIs commonly expose standard CRUD (Create, Read, Update, Delete) endpoints and unique identifiers. While it might be assumed that users can only access resources they control, this control is often only enforced on the client side and not within the API itself.

To illustrate, let’s consider a RESTful API scenario.

The Clock app, a video sharing application available via both web and mobile interfaces, uses an API to prevent the need to rewrite backend logic for different platforms. This app allows users to register an account, upload videos, view others’ videos, and interact with any video on the platform by commenting or liking.

When a user needs to delete a video, the app makes an API call to DELETE /api/video/<Video ID>. Ideally, the API should verify that the user requesting the deletion is the same as the one who uploaded the video. However, this is not always the case.

The lack of this crucial logic check enables any user to delete any video. It’s important to note that BOLA issues are not limited to editing or deleting resources; they can affect any CRUD functionality. For instance, while it might be intentional for a guest to view a video uploaded by another user, they should not have access to private videos.

The impact of these attacks varies depending on the specific business logic of an API or the application it supports.

Strategies for Mitigating BOLA: Beyond Technical Controls

Addressing all access control vulnerabilities typically involves implementing robust access control measures. However, this is only part of the solution.

What makes BOLA particularly challenging is the tendency of APIs to experience ‘API sprawl,’ where they have a large attack surface comprising hundreds of endpoints or resources. It’s understandably difficult to identify, document, and apply appropriate access controls to every endpoint.

With developers constantly adding to APIs, it’s common for some API routes to be automatically generated to improve code efficiency during development. These ‘shadow APIs’ can easily be overlooked when implementing access control measures.

The most effective way to mitigate and prevent BOLA is not solely through technical controls such as Web Application Firewalls (WAFs), but also through maintaining comprehensive API inventories, providing clear documentation for API endpoints and their access controls, and implementing a thorough application security program to track vulnerabilities and ensure they are rectified promptly.

The Bottom Line

In summary, Broken Object Level Authorization (BOLA) presents a significant and intricate challenge in the realm of API security. Its complexity is heightened by the prevalent issue of ‘API sprawl’, where the expansive array of endpoints amplifies the risk of unauthorized access. Addressing this requires more than just traditional technical controls like Web Application Firewalls (WAFs).

A holistic approach is essential, one that encompasses the creation and maintenance of detailed API inventories, the provision of clear and comprehensive documentation for all API endpoints and their respective access controls, and the establishment of a robust application security program.

This program should not only focus on promptly addressing vulnerabilities but also on proactively preventing them through continuous monitoring, regular updates, and developer education in secure coding practices. Equally important is cultivating a security-conscious culture within organizations, ensuring that all team members are aware of the potential risks and their role in maintaining API security.

Ultimately, the battle against BOLA and similar vulnerabilities in API security is ongoing and dynamic. It demands vigilance, adaptability, and a commitment to security best practices at every level of the organization. By embracing these comprehensive strategies, businesses can significantly enhance their defenses against unauthorized access and safeguard their digital assets effectively.

About Traceable

Traceable is the industry’s leading API Security company helping organizations achieve API visibility and attack protection in a cloud-first, API-driven world. Traceable is the only intelligent and context-aware solution that powers complete API security – API discovery and posture management, API security testing, attack detection and threat hunting, and attack protection anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring their customers. To learn more about how API security can help your business, book a demo with a security expert.