Broken Object Level Authorization in vAPI
In this story, we will understand and walk through the vulnerability of BOLA (Broken Object Level Authorization).
We assume that prerequisites for testing, such as vAPI, Postman, and Burpsuite, are correctly installed and set.
- Definition:
In this kind of vulnerability malicious user is able to access information that they should not be able to. e.g. internal private information, hidden information, other users information.
- Understanding the scenario:
Key to a successful attack is understanding the battlefield, which means analyzing the request and response structure. from the Postman we can observe that the API1 endpoint is made up of 3 requests Create User, Get User, and Update User.
So we submitted the request with dummy data and it actually created a user with the provided username and assigned us a unique id, nice thing but nothing suspicious.
Then we moved on to Get User request, which does not require any user input, so we just submitted it directly, and it returned our information. However, the {{api1_id}} variable at the end of the URL is interesting; can we use that id parameter to gain information about other users?
- Attacking:
Now we know that {{api1_id}} variable is nothing but the id parameter sent to the backend to fetch the id-specific data, and if it is vulnerable to BOLA then we can see the data of other users simply by changing the id parameter to some arbitrary number.
We have already created one genuine user with username bola2 with assigned id 53 keeping that in mind, in the Get User request will simply change {{api1_id}} variable with number 1 and send the request.
Yeaaahh Booii! We are now able to retrieve data from other users, proving that the API is vulnerable to BOLA (Broken Object Level Authorization).
Note:
This attack will fail if you have not correctly loaded the vAPI project into Postman. Postman will handle token parsing in the background, as demonstrated in the figure below, by selecting the appropriate environment. This simple procedure can save you a lot of time and brainpower.
