StackHawk Documentation StackHawk Logo HawkDocs
vulnerabilities
422001

No results found

Try different keywords or check your spelling

Search documentation

Find guides, API references, and more

esc
Back to Index

Possible Broken Object-Level Authorization (BOLA)

Reference
Plugin ID: 422001 CWE: 639 High Passive
Resource

Remediation

To remediate Broken Object-Level Authorization (BOLA) vulnerabilities in your OpenAPI specification, consider the following steps:

  1. Implement Proper Access Controls: Utilize OpenAPI's security definitions to enforce role-based or attribute-based access controls. For instance, define OAuth2 security scopes that map to different user roles and privileges. Apply these controls to each relevant endpoint to ensure that users can only access data objects for which they have authorization.

    securitySchemes:
  OAuth2:
    type: oauth2
    flows:
      password:
        tokenUrl: https://example.com/oauth/token
        scopes:
          user: Basic user actions
          admin: Admin actions
paths:
  /data/{id}:
    get:
      security:
        - OAuth2: [user]

  2. Validate User Input: Implement robust input validation to prevent tampering with request parameters. Define strict parameter schemas in your OpenAPI specification to ensure that inputs conform to expected formats and values.

    parameters:
  - name: id
    in: path
    required: true
    schema:
      type: string
      pattern: '^[a-zA-Z0-9-]+

  3. Regularly Review and Update Access Controls: Continuously monitor and review your API's access controls. Update the OpenAPI specification to reflect changes in roles, permissions, and organizational policies, ensuring all access control policies are current and effective.

About

Object-level authorization controls access to specific data objects like database records or files. Broken Object-Level Authorization (BOLA) occurs when flaws in these controls allow unauthorized access to or manipulation of data objects.

Risks

Risks of BOLA include unauthorized access to sensitive data, data manipulation or deletion, and elevation of privileges. Addressing BOLA is crucial for maintaining data confidentiality, integrity, and system security.

  • Regularly Review and Update Access Controls: Continuously monitor and review your API's access controls. Update the OpenAPI specification to reflect changes in roles, permissions, and organizational policies, ensuring all access control policies are current and effective.

    • About

    Object-level authorization controls access to specific data objects like database records or files. Broken Object-Level Authorization (BOLA) occurs when flaws in these controls allow unauthorized access to or manipulation of data objects.

    Risks

    Risks of BOLA include unauthorized access to sensitive data, data manipulation or deletion, and elevation of privileges. Addressing BOLA is crucial for maintaining data confidentiality, integrity, and system security.

    Your privacy settings

    We use first and third party cookies to ensure that we give you the best experience on our website and in our products.

    Privacy Policy