HawkScan Test Info for Possible Broken Object-Level Authorization (BOLA)

Possible Broken Object-Level Authorization (BOLA)

Reference

Plugin Id: 422001 | CWE: 639

Remediation

To remediate Broken Object-Level Authorization (BOLA) vulnerabilities in your OpenAPI specification, consider the following steps:

  1. Implement Proper Access Controls: Utilize OpenAPI’s security definitions to enforce role-based or attribute-based access controls. For instance, define OAuth2 security scopes that map to different user roles and privileges. Apply these controls to each relevant endpoint to ensure that users can only access data objects for which they have authorization.

    securitySchemes:
      OAuth2:
        type: oauth2
        flows:
          password:
            tokenUrl: https://example.com/oauth/token
            scopes:
              user: Basic user actions
              admin: Admin actions
    paths:
      /data/{id}:
        get:
          security:
            - OAuth2: [user]
    
  2. Validate User Input: Implement robust input validation to prevent tampering with request parameters. Define strict parameter schemas in your OpenAPI specification to ensure that inputs conform to expected formats and values.

    parameters:
      - name: id
        in: path
        required: true
        schema:
          type: string
          pattern: '^[a-zA-Z0-9-]+$'
    
  3. Regularly Review and Update Access Controls: Continuously monitor and review your API’s access controls. Update the OpenAPI specification to reflect changes in roles, permissions, and organizational policies, ensuring all access control policies are current and effective.

About

Object-level authorization controls access to specific data objects like database records or files. Broken Object-Level Authorization (BOLA) occurs when flaws in these controls allow unauthorized access to or manipulation of data objects.

Risks

Risks of BOLA include unauthorized access to sensitive data, data manipulation or deletion, and elevation of privileges. Addressing BOLA is crucial for maintaining data confidentiality, integrity, and system security.