BOLA & BFLA
Welcome folks, This blog will be a quick review about:
What's BOLA & BFLA.
How to hunt for them.
Resources about the vulnerability.
What's BOLA & BFLA:
[+] BOLA is acronym for Broken Object Level Authorization, It occurs when another user can get information for another user without needing the proper privilege for that. Most of times, APIs retrieve information from the back-end by using a reference or an identifier for data, That identifier can represented in: 1-UID 2-GUID 3-String(emails,usernames) Consider that there's a website that has an API, Once you logged into the website the following request initiated to retrieve your information:
Then you receive the following response:
That's supposed the intended behavior, The identifier here is (12482) for your data in the back-end. But if the API lacks the required validation of authorization, Then changing that identifier will retrieve other customers information like:
[+] BFLA is acronym for Broken Function Level Authorization, The vulnerability arises when user can perform actions that's not allowed to perform. Such vulnerability occurs in websites that provides the ability to generate groups with different privileges like(Admin, Developer, Normal). I've found the same vulnerability in website that has such feature, The website was providing creating your own group to manage your business and the available privileges was: 1-Admin 2-Developer 3-View-Only The Admin&Developer accounts are allowed to send invites to join the team while the Admin is only one that can remove the pending invites that's accepted yet, To delete an invite the following request sent to the API by the Admin account:
Then as i'm in the same group but with the lowest privilege(View-Only), I just tried to substitute the Admin cookies with mine and the invite deleted with no restriction.
How to hunt for them:
If you've a program that has several privileges like (Admin, Developer, Read-Only), So at first you need to open the 3 accounts and see what functions that each account can access and can't access, For example, If the Admin account can invite users so can the Developer/Read-Only account do that?. Once you did that with each function and kept comparing between the 3 privileges the next step will be testing if there's any kind if misconfiguration there.
Testing for Broken Object Level Authorization(BOLA) is much like IDOR, So you just need to see if there're any API-requests that have a reference for your account like(id, uuid, email,..etc) and try to substitute it with another value and inspect the data returned if it belongs to another user or not.
Testing for Broken Function Level Authorization(BFLA) represents in testing the functions with higher privilege then try to execute these requests with lower privilege like: Admin->Developer Developer->Read-Only Admin->Read-Only That can happened by substituting the cookies/jwt-token with the lower account's cookie/jwt-token as i mentioned in the vulnerability that i found.
Tools:
You can use Autorize burpsuite extension, You'll just provide the cookies/jwt-token of the lower privilege account and keep surfing and executing the functions in the program with Admin account and the extension will notify you which request succeded with the lower privilege account's data or not.
The second tool that you can use is PwnFox extension, It helps in openning different tabs in your browser where each tab represents a seperated container, That will help you in openning several session in one browser instead of the need to open a private window with main one.
Resources:
Hacking APIs book.
I hope if that could help even a little bit, If you've a question you can ask me at:
Last updated