Broken Function Level Authorization in vAPI
In this article, we are going to explore another exciting vulnerability Broken Function Level Authorization (BFLA).
Before proceeding make sure that all the prerequisites vAPI, Postman, and Burpsuite are in place and working.
- Definition:
This vulnerability is a variant of BOLA that we have already seen in another post. As we know, in BOLA we can access information that we are not supposed to, and in BFLA we can do unpermitted activities on data that we are not supposed to.
- Understanding scenario:
The API1 endpoint is made up of three requests: Create User, Get User, and Update User.
So we submitted the Create User request with dummy data and it actually created a user with the provided username and assigned us a unique id 59, nice thing but nothing suspicious.
We now know that the Get User request is vulnerable to BOLA, so we’ll go on to the updating User request, where we can see that it’s a simple user data updating method, which could be subject to BFLA.
So the Update User request takes all of the same fields as the input we provided when creating a user, and with this request, we may update input data for existing users; however, we have to figure out if can we update data for users that we are not allowed to?
- Attacking
So we have a another user with the ‘id’:’53’, ‘username’:’bfla8’, ’subject’:’vapi’, and ‘name’:’baka’. Now we’ll try to change the subject name by sending an Update User request with the victim account’s id in the URL parameter and keeping the fields that we want to update with the values that we want to change in the request body.
This is how we successfully used Broken Function Level Authorization in vAPI. In the Get User request, the details of the user with the victim account id will be checked for confirmation in the results we can see that subject for the user with id 53 has been changed from ‘vapi’ to ‘vapi bfla’ even if our authorized account id was 59.
Note:
This attack will fail if you have not correctly loaded the vAPI project into Postman. Postman will handle token parsing in the background, as demonstrated in the figure below, by selecting the appropriate environment. This simple procedure can save you a lot of time and brainpower.
Broken Object Level Authorization in vAPI
https://medium.com/@evilprince007/broken-object-level-authorization-in-vapi-8a994c50b711
