Skip to content

Broken Object Level Authorization

Description

Broken Object Level Authorization (BOLA) is a vulnerability that allows an attacker to access unauthorized resources by manipulating key values. This vulnerability is also known as Insecure Direct Object Reference (IDOR).

Remediation

Use non-sequential identifiers.

GraphQL Specific

Apollo Implement robust access control checks within the Apollo framework to ensure that users can only access objects for which they have explicit authorization. Use middleware to verify the user's permissions against the requested resource's access control list (ACL) before performing any actions. Regularly audit and test these authorization checks to prevent Broken Object Level Authorization vulnerabilities.
Yoga Implement robust access control checks within the Yoga framework engine to ensure that users can only access or modify resources for which they have explicit authorization. This should include server-side checks against the user's permissions before any object-level operations are allowed. Additionally, employ the principle of least privilege by default, and regularly audit and test authorization checks to prevent Broken Object Level Authorization vulnerabilities.
Awsappsync Implement strict access controls and authorization checks on all GraphQL resolvers within AWS AppSync to ensure that users can only access objects for which they have explicit permissions. Use AWS Cognito or IAM policies to manage and validate user permissions against the requested resources.
Graphqlgo Implement strict access control checks in your GraphQL Go framework to ensure that users can only access objects for which they have explicit authorization. Use middleware to verify the user's permissions against the requested object's ID before processing any query or mutation. Regularly audit your authorization logic to prevent Broken Object Level Authorization vulnerabilities.
Graphqlruby In the GraphQL Ruby framework, ensure that authorization checks are performed at the object level within resolvers. Implement a policy-based authorization system, such as Pundit or GraphQL-Pro's built-in authorization framework, to manage access control. Define policies for each GraphQL type and enforce these policies in the corresponding field resolvers to prevent unauthorized access to sensitive data. Additionally, consider using scoped queries that inherently respect the permissions of the current user, and always validate that the current user has the right to access or modify the requested resources.
Hasura Implement strict access control checks in Hasura by using permission rules to ensure that users can only access data they are authorized for. Define roles and permissions meticulously, and use Hasura's role-based access control (RBAC) to limit access to queries, mutations, and subscriptions based on the user's role. Regularly audit and test your permission configurations to prevent unauthorized access to sensitive data.

REST Specific

Asp_net Implement proper access control checks in the ASP.NET application to verify that the current user has the required permissions to access or modify the requested resources. Use the built-in ASP.NET Identity framework for managing user roles and permissions, and ensure that every API endpoint that accesses user data performs an authorization check before proceeding with the operation.
Ruby_on_rails Implement strong access control checks in Ruby on Rails by using the 'cancancan' or 'pundit' gems to manage authorizations. Ensure that controllers perform resource loading through these libraries, which enforce that a user can only access objects they are permitted to. Additionally, always validate that the current user owns or has explicit access to the object they are attempting to interact with before processing the request.
Next_js Implement robust access control checks within your Next.js API routes or middleware to validate that the requesting user has the necessary permissions to access or modify the requested resource. Use a combination of authentication mechanisms, such as JSON Web Tokens (JWT), and authorization checks against user roles or permissions before processing any request that involves object references.
Laravel In Laravel, implement a robust authorization strategy using built-in features like Gates and Policies to check user permissions before accessing any object. Leverage route model binding to ensure only authorized users can access specific resources. Additionally, use Laravel's middleware to enforce user access control at the route level.
Express_js Implement robust access control checks within your Express.js application to verify that the logged-in user has the appropriate permissions to access or modify the requested resource. Use middleware to validate the user's rights against the resource's ownership or access rules before processing the request. Additionally, employ a combination of JWT tokens, user roles, and resource identifiers to ensure secure object level authorization. Always validate that the user making the request is authorized to perform the action on the specific object by checking against the server-side list of permissions.
Django In Django, ensure proper object-level authorization by implementing access control checks using Django's permissions framework or third-party packages like `django-guardian`. Always verify that the current user has the right to access or modify an object before processing the request. Use Django's `get_object_or_404()` with filtering based on the user's permissions to prevent unauthorized access to objects.
Symfony In the Symfony framework, mitigate Broken Object Level Authorization by implementing proper access control checks. Use Symfony's security voters or access decision managers to verify that the authenticated user has the necessary permissions to access or modify a specific resource. Additionally, always validate and sanitize user input to prevent unauthorized access to object references.
Spring_boot Implement proper access control checks in the Spring Boot application. Use Spring Security to authenticate users and check if they have the required permissions or roles before granting access to a resource. Additionally, employ the principle of least privilege, ensuring users can only access resources that are necessary for their role. For each API endpoint that accesses user data, verify the logged-in user has the right to access the requested object by comparing the user's ID from the security context with the owner ID of the object.
Flask Implement robust access control checks within Flask route handlers to verify that the requesting user has the necessary permissions to access or modify the requested resource. Use Flask's 'before_request' or 'after_request' decorators to create a centralized authorization mechanism. Additionally, employ Flask-Security or Flask-Principal extensions to manage user roles and permissions effectively.
Nuxt In Nuxt.js, to remediate Broken Object Level Authorization, ensure that user permissions are properly verified on the server-side for each request that accesses a sensitive object. Implement robust access control checks using middleware or within your API logic to confirm that the requesting user has the necessary rights to perform the action on the specific resource. Additionally, avoid using sequential or predictable object IDs, and consider using UUIDs to make it harder for attackers to guess object identifiers. Always enforce the principle of least privilege, granting users the minimum access necessary to perform their tasks.
Fastapi In FastAPI, to remediate Broken Object Level Authorization (BOLA), ensure that proper access control checks are in place before allowing users to access or modify a resource. Implement function-based or role-based access control (FBAC/RBAC) using FastAPI dependencies to verify that the current user has the necessary permissions for the requested action. Additionally, use scoped tokens or API keys to limit access to resources based on the user's role or scope. Always validate that the user is authorized to access the specific object by checking ownership or permission levels against the user's credentials.

Configuration

Identifier: access_control/bola

Options

  • threshold_res : Rate of correct responses to an argument being enumerated to raise an alert.
  • threshold_enum : Rate of iterable values of a field to be considered iterable.

Examples

Ignore this check

checks:
  access_control/bola:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API1:2023

  • pci: 6.5.8

  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.9.4
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 863

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1