Skip to Primary Menu Skip to Utility Menu Skip to Main Content Skip to Footer
Noname is now Akamai API Security. Learn about the new capabilities now available, and what it means for your defense.
Learn more
Noname Security Logo
/
/
API-01 Broken Object Level Authorization

API-01 Broken Object Level Authorization

John Natale
Share this article

Key Takeaways

The ability to access multiple credentials in an API is known as Broken Object Level Authorization (BOLA). BOLA is ranked number one on the OWASP API Top 10 security risks. BOLA is the top threat to API security because it is so hard to discover. The only way to detect this kind of issue is to look at not only the request and responses, but at the series of requests.

Broken Object Level Authorization, or BOLA, is the top API security threat on the OWASP API Security Top 10. It occurs when an attacker can successfully request a data object that should be restricted.

What is Broken Object Level Authorization (BOLA)?

Broken Object Level Authorization is a type of access control vulnerability that allows an attacker to perform actions on a resource that they do not own or have permission to access. APIs, whether they are RESTful or GraphQL, often follow the CRUD (Create, Read, Update, Delete) model for resource manipulation. BOLA occurs when an attacker can create, read, update, or delete a resource that belongs to another user.

Examples of Broken Object Level Authorization Vulnerabilities

Broken Object Level Authorization vulnerabilities can have various implications depending on the API’s business logic. Here are a few practical examples:

  1. Editing a post to falsely attribute it to another user.
  2. Viewing or deleting documents in someone else’s cloud storage.
  3. Accessing private posts or photos on a social media platform.

The impact of a Broken Object Level Authorization vulnerability can range from minor to severe, depending on the nature of the API and the sensitivity of the resources being accessed.

Why is Broken Object Level Authorization a Problem in APIs?

APIs expose a large attack surface, with multiple endpoints for different CRUD operations. As APIs grow larger and more complex, the number of endpoints increases, making it challenging to ensure proper access control for each resource. Additionally, APIs often use easily recognizable IDs, making it easier for attackers to predict or manipulate resource identifiers.

Mitigating Broken Object Level Authorization Vulnerabilities

To address Broken Object Level Authorization vulnerabilities effectively, developers should consider the following best practices:

  1. Design APIs with access control in mind: Clearly define the access control model for each CRUD operation before deploying the API.
  2. Implement a robust access control program: Support developers and security engineers in producing secure code and fixing vulnerabilities.
  3. Validate API endpoints: Avoid relying on security by obscurity, such as using obscure identifiers. Instead, thoroughly check each route for proper access control.
  4. Avoid automatic endpoint creation: Tools that automatically generate API endpoints should be used with caution. Validate each endpoint to ensure it adheres to the access control model.
  5. Keep track of API endpoints: During development, it’s crucial to monitor and manage the increasing number of API endpoints to prevent unnoticed vulnerabilities.

Runtime Protection and Security Testing

To enhance API security, runtime protection and security testing can be employed. Runtime protection platforms, like Noname Security, analyze real-time traffic to detect and block API attacks. Security testing allows developers to identify and address API vulnerabilities like Broken Object Level Authorization during the development lifecycle, before they are deployed.

Broken Object Level Authorization FAQs

What is Broken Object Level Authorization?

Broken Object Level Authorization, or BOLA, is the top API security threat on the OWASP API Security Top 10. It occurs when an attacker can successfully make a request for a data object that should be restricted.

What is the root cause for broken object level authorization?

Attackers and penetration testers look for BOLA vulnerabilities by inspecting API traffic for data that appears to be an ID or identifier for some data used by the API. Generally, these IDs are numeric but can also be strings (a set of characters) or a universally unique identifier (UUID).

BOLA vs BFLA?

Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) are two security vulnerabilities that can occur when using web applications. BOLA is a vulnerability where an attacker can access data or functions that should be restricted, while BFLA is a vulnerability where an attacker can bypass the authorization process and gain access to restricted functions. Both of these issues can lead to serious security risks if not addressed properly.

John Natale

John Natale leads content marketing at Noname Security.

All John Natale posts
Get Started Now (Tab to skip section.)

Get Started Now

Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.