Products

Pricing

Test Library

Solutions

Resources

See docs

Start free

Test Library

BOLA by changing auth token

Attacker can access resources of any user by changing the auth token in request.

Broken Object Level Authorization (BOLA)

"The endpoint appears to be vulnerable to broken object level authorization attack. The original request was replayed with attacker's auth token. The server responded with 2XX success codes and greater than <b>{{percentageMatch}}%</b> of the response body matched with original response body. Also, the endpoint had atleast one private resources in request payload.<br>" "<b>Background:</b> Object level authorization is an access control mechanism that is usually implemented at the code level to validate that one user can only access objects that they should have access to. Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access to objects can also lead to full account takeover."

"The endpoint appears to be vulnerable to broken object level authorization attack. The original request was replayed with attacker's auth token. The server responded with 2XX success codes and greater than <b>{{percentageMatch}}%</b> of the response body matched with original response body. Also, the endpoint had atleast one private resources in request payload.<br>" "<b>Background:</b> Object level authorization is an access control mechanism that is usually implemented at the code level to validate that one user can only access objects that they should have access to. Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access to objects can also lead to full account takeover."

Impact of the vulnerability

Impact of the vulnerability

Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access to objects can also lead to full account takeover.

Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access to objects can also lead to full account takeover.

How this template works

APIs Selection

The template uses API selection filters to specify the criteria for selecting the API requests to be executed. In this case, the filters include checking the response code to be between 200 and 300, and the presence of at least one private variable in the request payload.

Execute request

The template specifies the execution type as "single", which means that only one request will be executed. The request includes a step to replace the authentication header with a new token. This allows the attacker to replay the original request with their own token.

Validation

The template defines validation criteria for the response. It checks that the response code is between 200 and 300, the response payload has a length greater than 0, and the percentage match between the response body and the original response body is at least 90%. These validations ensure that the attack was successful and the server responded as expected.

Frequently asked questions

What is Broken Object Level Authorization (BOLA) and how does it relate to this test

How does the server determine if the response body matches the original response body

What is the impact of unauthorized access in the context of BOLA

Can you provide more information about object level authorization and its role in preventing unauthorized access

Are there any specific references or resources available to learn more about BOLA and its exploitation techniques

What are the severity and potential impact of this vulnerability

Loved by security teams!

Loved by security teams!

Product Hunt Badge

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Security team,

Loom

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Security team,

Loom

"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Security team,

Rippling

Explore other tests

IDOR by adding user id in query params

BOLA in old api versions

BOLA by HTTP Parameter Pollution

Learn more:

OWASP top 10

6 min read

What is Broken User Authentication (BUA)?

Developer best practices

7 min read

How to prevent Server-Side Request Forgery (SSRF) as a developer?

Suggest API security tests

Suggest API security tests

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.