How this template works
APIs Selection
The template uses API selection filters to specify the criteria for selecting the API requests to be executed. In this case, the filters include checking the response code to be between 200 and 300, and the presence of at least one private variable in the request payload.
Execute request
The template specifies the execution type as "single", which means that only one request will be executed. The request includes a step to replace the authentication header with a new token. This allows the attacker to replay the original request with their own token.
Validation
The template defines validation criteria for the response. It checks that the response code is between 200 and 300, the response payload has a length greater than 0, and the percentage match between the response body and the original response body is at least 90%. These validations ensure that the attack was successful and the server responded as expected.
Frequently asked questions
What is Broken Object Level Authorization (BOLA) and how does it relate to this test
How does the server determine if the response body matches the original response body
What is the impact of unauthorized access in the context of BOLA
Can you provide more information about object level authorization and its role in preventing unauthorized access
Are there any specific references or resources available to learn more about BOLA and its exploitation techniques
What are the severity and potential impact of this vulnerability
"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "
Security team,
Rippling
