OWASP API #1 BOLA
Aaron Birnbaum
Security Savvy Speaker | vCISO | TRaViS ASM Founder | Cybersecurity Whisperer | CISSP | MBA Thoughts, opinions, rants, etc. are my own and are in no way affiliated with any employer/partner/contractor/babysitter/relative
I thought about doing a breakdown of the OWASP Top 10 for beginners and then thought – ‘that’s’ been done to death’. So, I’m going to start a series on the OWASP Top 10 for Application Programming Interface – aka APIs
It's 2023, and APIs are the hot “new” attack vector for criminals. Ignore API security, and you might as well send out an engraved invitation to your data breach party. While most API threats are relatively easy to catch using vulnerability scanners, some can remain undetected for years.
?API Security: Defeating the BOLA Threat
Today, we're tackling the dastardly BOLA (Broken Object Level Authorization). No, not Ebola- BOLA Broken Object Level Authorization.? It's the Top of the OWASP API Security Top 10 list.
First some background:
A data object is a collection of one or more data points that create a single entity. In other words, “data object” is another way of saying “this group of data should be thought of as standalone.” The most common examples of data objects are data tables, arrays, pointers, records, files, sets, and scalar types.
Object-level authorization is the set of controls that dictate which users can access which objects, be it database records or files. For example, a user might be allowed to view specific values in a database, but not have permission to edit or delete them. When those controls are broken – or coded insecurely, we have issues.
BOLA vulnerabilities are usually caused by insecure coding practices: failing to properly validate user input or failing to check permissions before granting access to an object. We see this when an API allows overly permissive access controls or when API resources are not properly secured.
领英推荐
Think of it this way:
SOME people (never me) and their friends would go to a nightclub, and some of their friends were not of legal age to drink. They would go through the doorman, show their ID, state their name for the guest list and go inside. (Nice identification and authorization example here btw).
Many times, upon entering, nightclubs would give you a wristband or an ink stamp on your hand.? After a few minutes, some people would head outside to ‘leave their coat in your car”, or “get some fresh air’.
Then they would find the underage friend, and smush hands to pass the ink stamp to the underage person.? Then both people would wait a little while and then walk in, showing their hands as they walk in past the doorman.? The doorman would glance over, see the ink stamps, and let them both in.
BOLA vulnerabilities occur when one user can access other users' data due to insufficient authorization controls validating access to data objects.
Remember the 2018 USPS breach? ?An attacker got access and decided to open the system for anyone with a usps.com account, along with access to 60 million others’ accounts. Textbook ?BOLA attack.
How do we protect our systems from BOLA?
BOLA vulnerabilities are some of the most dangerous API threats, and organizations need to take proactive steps to prevent them:
??
<Shameles splug> Seron Security has a proprietary, passive, in-depth scanner that can deliver fast, actionable results-and we are looking for some beta testers…DM me.</shameless plug>