Possible Broken Object-Level Authorization (BOLA)

Remediation

To remediate Broken Object-Level Authorization (BOLA) vulnerabilities in your OpenAPI specification, consider the following steps:

1. Implement Proper Access Controls: Utilize OpenAPI’s security definitions to enforce role-based or attribute-based access controls. For instance, define OAuth2 security scopes that map to different user roles and privileges. Apply these controls to each relevant endpoint to ensure that users can only access data objects for which they have authorization.

   securitySchemes:
     OAuth2:
       type: oauth2
       flows:
         password:
           tokenUrl: https://example.com/oauth/token
           scopes:
             user: Basic user actions
             admin: Admin actions
   paths:
     /data/{id}:
       get:
         security:
           - OAuth2: [user]
   

2. Validate User Input: Implement robust input validation to prevent tampering with request parameters. Define strict parameter schemas in your OpenAPI specification to ensure that inputs conform to expected formats and values.

   parameters:
     - name: id
       in: path
       required: true
       schema:
         type: string
         pattern: '^[a-zA-Z0-9-]+$'
   

3. Regularly Review and Update Access Controls: Continuously monitor and review your API’s access controls. Update the OpenAPI specification to reflect changes in roles, permissions, and organizational policies, ensuring all access control policies are current and effective.

About

Object-level authorization controls access to specific data objects like database records or files. Broken Object-Level Authorization (BOLA) occurs when flaws in these controls allow unauthorized access to or manipulation of data objects.

Risks

Risks of BOLA include unauthorized access to sensitive data, data manipulation or deletion, and elevation of privileges. Addressing BOLA is crucial for maintaining data confidentiality, integrity, and system security.