Exploiting API Authorization
Last updated
Last updated
In this module you will learn how to test for authorization vulnerabilities including BOLA - Broken Object Level Authorization and BFLA - Broken Function Level Authorization.
An API’s authentication process is meant to validate that users are who they claim to be. An API's authorization is meant to allow users to access the data they are permitted to access. In other words, UserA should only be able to access UserA's resources and UserA should not be able to access UserB's resources. API providers have been pretty good about requiring authentication when necessary, but there has been a tendency to overlook controls beyond the hurdle of authentication. Authorization vulnerabilities are so common for APIs that the OWASP security project included two authorization vulnerabilities on its top ten list, Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA).
RESTful APIs are stateless, so when a consumer authenticates to these APIs, no session is created between the client and server. Instead, the API consumer must prove their identity within every request sent to the API provider’s web server.
Authorization weaknesses are present within the access control mechanisms of an API. An API consumer should only have access to the resources they are authorized to access. BOLA vulnerabilities occur when an API provider does not restrict access to access to resources. BFLA vulnerabilities are present when an API provider does not restrict the actions that can be used to manipulate the resources of other users. I like to think of these in terms of fintech APIs. BOLA is the ability for UserA to see UserB's bank account balance and BFLA is the ability to for UserA to transfer funds from UserB's account back to UserA.