130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • What is BOLA?
  • How BOLA Maps to OWASP Top 10
  • How the Attacker Exploits BOLA
  • Attack Scenario
  • Insecure Implementation (Prone to BOLA) Using Java Spring Security
  • Secure Implementation (BOLA Mitigated) Using Java Spring Security
  • Key Points for Developers
  • Conculsion

Was this helpful?

  1. Application Security

Mitigating Broken Object Level Authorization (BOLA)

10 November 2024

What is BOLA?

Broken Object Level Authorization (BOLA) occurs when an application fails to properly verify that a user has the necessary permissions to access a specific object or resource. This vulnerability can lead to unauthorized access, data breaches, and other security issues.

How BOLA Maps to OWASP Top 10

BOLA is categorized under A01:2021 - Broken Access Control in the OWASP Top 10. Broken Access Control is considered the most critical web application security risk, as it affects many applications and can lead to severe consequences like data theft and unauthorized data modification.

How the Attacker Exploits BOLA

An attacker could exploit this vulnerability by obtaining or guessing a valid token and then using it to access another user's profile, bypassing any authorization checks.

Attack Scenario

Imagine a company that provides a web application allowing users to access their profiles through an API. Each user has a unique profile with personal information, and the API uses tokens for authentication and authorization.

Insecure Implementation (Prone to BOLA) Using Java Spring Security

In this insecure implementation, the API does not properly verify that the authenticated user has permission to access the requested user's profile.

@RestController
@RequestMapping("/api")
public class UserController {

    private final UserRepository userRepository;

    public UserController(UserRepository userRepository) {
        this.userRepository = userRepository;
    }

    @GetMapping("/profile")
    public ResponseEntity<?> getProfile(@RequestHeader("Authorization") String token) {
        User currentUser = getUserByToken(token);

        if (currentUser == null) {
            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Unauthorized");
        }

        // No additional authorization check
        return ResponseEntity.ok(currentUser);
    }

    private User getUserByToken(String token) {
        // Mock function to get user by token
        if ("token1".equals(token)) {
            return new User(1L, "Alice", "alice@example.com");
        } else if ("token2".equals(token)) {
            return new User(2L, "Bob", "bob@example.com");
        }
        return null;
    }
}

Attack Payload Example:

curl -H "Authorization: token2" http://localhost:8080/api/profile

In this case, an attacker using a stolen or guessed token2 accesses Bob's profile.

Secure Implementation (BOLA Mitigated) Using Java Spring Security

In the secure implementation, the API ensures that the token provided matches the user's identity, verifying that the token is valid for the requesting user and implementing access controls at the database query level.

@RestController
@RequestMapping("/api")
public class UserController {

    private final UserRepository userRepository;

    public UserController(UserRepository userRepository) {
        this.userRepository = userRepository;
    }

    @GetMapping("/profile")
    public ResponseEntity<?> getProfile(@RequestHeader("Authorization") String token) {
        User currentUser = getUserByToken(token);

        if (currentUser == null) {
            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Unauthorized");
        }

        // Additional authorization check to ensure the token is valid for the requesting user
        if (!isTokenValidForUser(token, currentUser.getId())) {
            return ResponseEntity.status(HttpStatus.FORBIDDEN).body("Forbidden");
        }

        // Implement access controls at database query level
        User user = userRepository.findById(currentUser.getId()).orElse(null);
        if (user == null) {
            return ResponseEntity.status(HttpStatus.NOT_FOUND).body("User not found");
        }

        return ResponseEntity.ok(user);
    }

    private User getUserByToken(String token) {
        // Mock function to get user by token
        if ("token1".equals(token)) {
            return new User(1L, "Alice", "alice@example.com");
        } else if ("token2".equals(token)) {
            return new User(2L, "Bob", "bob@example.com");
        }
        return null;
    }

    private boolean isTokenValidForUser(String token, Long userId) {
        // Add logic to verify that the token is valid for the user ID
        return ("token1".equals(token) && 1L.equals(userId)) || ("token2".equals(token) && 2L.equals(userId));
    }
}

The secure implementation ensures that the token provided matches the user's identity, verifying that the token is valid for the requesting user. It also implements access controls at the database query level to protect Personally Identifiable Information (PII).

Key Points for Developers

  • Always verify that a user has the necessary permissions to access specific resources.

  • Validate API tokens to ensure they are not compromised and are correctly assigned to the requesting user.

  • Implement access controls at the database query level to protect sensitive information, especially Personally Identifiable Information (PII).

  • Use secure coding practices such as input validation, prepared statements, and encryption to prevent vulnerabilities.

Conculsion

BOLA vulnerabilities occur when applications fail to enforce proper authorization checks, leading to unauthorized access to sensitive data. This vulnerability maps to A01:2021 - Broken Access Control in the OWASP Top 10. Ensuring that authorization checks are performed at the object level is crucial for mitigating this risk. By following secure coding practices, validating API tokens, and implementing access controls at the database query level, developers can build more secure applications and reduce the risk of security breaches.

Here are some useful references for more details on Broken Object Level Authorization (BOLA):

PreviousHTTP Header Security PrinciplesNextSpring Boot Validation

Last updated 6 months ago

Was this helpful?

OWASP API Security Top 10 - Broken Object Level Authorization (BOLA):

Sec-Notes on Broken Object Level Authorization (BOLA):

Heimdal Security on BOLA:

Imperva on BOLA:

OWASP API Security Top 10
Sec-Notes
Heimdal Security
Imperva