Skip to content

Broken Object Level Authorization

Description

Broken Object Level Authorization (BOLA) is a vulnerability that allows an attacker to access unauthorized resources by manipulating key values. This vulnerability is also known as Insecure Direct Object Reference (IDOR).

Remediation

Use non-sequential identifiers.

GraphQL Specific

Apollo Implement robust access control checks within the Apollo framework to ensure that users can only access objects for which they have explicit authorization. Use middleware to verify the user's permissions against the requested resource's access control list (ACL) before performing any actions. Regularly audit and test these authorization checks to prevent Broken Object Level Authorization vulnerabilities.
Yoga Implement robust access control checks within the Yoga framework engine to ensure that users can only access or modify resources for which they have explicit authorization. This should include server-side checks against the user's permissions before any object-level operations are allowed. Additionally, employ the principle of least privilege by default, and regularly audit and test authorization checks to prevent Broken Object Level Authorization vulnerabilities.
Awsappsync Implement strict access controls and authorization checks on all GraphQL resolvers within AWS AppSync to ensure that users can only access objects for which they have explicit permissions. Use AWS Cognito or IAM policies to manage and validate user permissions against the requested resources.
Graphqlgo Implement strict access control checks in your GraphQL Go framework to ensure that users can only access objects for which they have explicit authorization. Use middleware to verify the user's permissions against the requested object's ID before processing any query or mutation. Regularly audit your authorization logic to prevent Broken Object Level Authorization vulnerabilities.
Graphqlruby In the GraphQL Ruby framework, ensure that authorization checks are performed at the object level within resolvers. Implement a policy-based authorization system, such as Pundit or GraphQL-Pro's built-in authorization framework, to manage access control. Define policies for each GraphQL type and enforce these policies in the corresponding field resolvers to prevent unauthorized access to sensitive data. Additionally, consider using scoped queries that inherently respect the permissions of the current user, and always validate that the current user has the right to access or modify the requested resources.
Hasura Implement strict access control checks in Hasura by using permission rules to ensure that users can only access data they are authorized for. Define roles and permissions meticulously, and use Hasura's role-based access control (RBAC) to limit access to queries, mutations, and subscriptions based on the user's role. Regularly audit and test your permission configurations to prevent unauthorized access to sensitive data.
Agoo Implement strict access control checks in the Agoo framework engine to ensure that users can only access resources they are authorized to, by validating user permissions for each object request.
Ariadne Implement strict access control checks in the Ariadne framework engine to ensure that users can only access resources they are authorized to interact with, and validate object references on the server side to prevent unauthorized access.
Caliban Implement strict access control checks in the Caliban framework to ensure that users can only access resources they are authorized to interact with, and validate object references on the server side to prevent unauthorized access.
Dgraph Implement access control checks at the object level to ensure users can only access resources they are authorized to view or modify in the Dgraph framework.
Dianajl Implement strict access control checks at the object level in the DianaJL framework engine to ensure that users can only access resources they are authorized to interact with.
Directus Implement role-based access control (RBAC) and ensure that all API endpoints in the Directus framework validate user permissions for each object request to prevent unauthorized access.
Flutter Implement access control checks on the server-side to ensure that users can only access resources they are authorized to, and validate object identifiers to prevent unauthorized access in Flutter applications.
Graphene Implement middleware to enforce access control checks for each object request in the Graphene framework.
Graphqlapiforwp Implement strict access control checks in the GraphQL resolvers to ensure users can only access resources they are authorized to view.
Graphqlgophergo Implement access control checks at the resolver level to ensure that users can only access resources they are authorized to view or modify.
Graphqljava Implement access control checks at the resolver level to ensure users can only access resources they are authorized to view.
Graphqlphp Implement middleware to enforce strict access control checks on all GraphQL queries and mutations, ensuring users can only access resources they are authorized to interact with.
Graphqlyoga Implement authorization checks in resolvers to ensure users can only access resources they are permitted to, and validate user permissions against the requested data.
Hypergraphql Implement strict access control checks in the HyperGraphQL framework to ensure that users can only access resources they are authorized to interact with, and validate all incoming requests to prevent unauthorized access.
Jaal Implement strict access control checks to ensure that users can only access resources they are authorized to interact with in the Jaal framework engine.
Juniper Implement access control checks at the object level to ensure that users can only access resources they are authorized to interact with in the Juniper framework engine.
Lacinia Implement access control checks at the object level in the Lacinia framework to ensure that users can only access resources they are authorized to interact with.
Lighthouse Implement strict access control checks at the object level to ensure that users can only access resources they are authorized to view or modify.
Mercurius Implement access control checks in Mercurius resolvers to ensure users can only access resources they are authorized to view.
Morpheusgraphql Implement access control checks at the object level in the MorpheusGraphQL framework to ensure that users can only access resources they are authorized to view or modify.
Qglgen Implement access control checks in resolvers to ensure users can only access resources they are authorized to view.
Sangria Implement access control checks at the object level to ensure that users can only access resources they are authorized to view or modify in the Sangria framework.
Shopify Implement access control checks at the object level to ensure that users can only access resources they are authorized to view or modify in the Shopify framework.
Stepzen Implement strict access control checks in the StepZen framework engine to ensure that users can only access resources they are authorized to. Validate user permissions for each object request and avoid exposing direct object references in URLs or API endpoints.
Strawberry Implement access control checks at the object level to ensure users can only access resources they are authorized to, and validate user permissions before processing requests in the Strawberry Framework engine.
Tartiflette Implement access control checks in the Tartiflette framework to ensure that users can only access resources they are authorized to interact with, and validate object references to prevent unauthorized access.
Wpgraphql Implement access control checks in resolvers to ensure users can only access resources they are authorized to view.

REST Specific

Asp_net Implement proper access control checks in the ASP.NET application to verify that the current user has the required permissions to access or modify the requested resources. Use the built-in ASP.NET Identity framework for managing user roles and permissions, and ensure that every API endpoint that accesses user data performs an authorization check before proceeding with the operation.
Ruby_on_rails Implement strong access control checks in Ruby on Rails by using the 'cancancan' or 'pundit' gems to manage authorizations. Ensure that controllers perform resource loading through these libraries, which enforce that a user can only access objects they are permitted to. Additionally, always validate that the current user owns or has explicit access to the object they are attempting to interact with before processing the request.
Next_js Implement robust access control checks within your Next.js API routes or middleware to validate that the requesting user has the necessary permissions to access or modify the requested resource. Use a combination of authentication mechanisms, such as JSON Web Tokens (JWT), and authorization checks against user roles or permissions before processing any request that involves object references.
Laravel In Laravel, implement a robust authorization strategy using built-in features like Gates and Policies to check user permissions before accessing any object. Leverage route model binding to ensure only authorized users can access specific resources. Additionally, use Laravel's middleware to enforce user access control at the route level.
Express_js Implement robust access control checks within your Express.js application to verify that the logged-in user has the appropriate permissions to access or modify the requested resource. Use middleware to validate the user's rights against the resource's ownership or access rules before processing the request. Additionally, employ a combination of JWT tokens, user roles, and resource identifiers to ensure secure object level authorization. Always validate that the user making the request is authorized to perform the action on the specific object by checking against the server-side list of permissions.
Django In Django, ensure proper object-level authorization by implementing access control checks using Django's permissions framework or third-party packages like `django-guardian`. Always verify that the current user has the right to access or modify an object before processing the request. Use Django's `get_object_or_404()` with filtering based on the user's permissions to prevent unauthorized access to objects.
Symfony In the Symfony framework, mitigate Broken Object Level Authorization by implementing proper access control checks. Use Symfony's security voters or access decision managers to verify that the authenticated user has the necessary permissions to access or modify a specific resource. Additionally, always validate and sanitize user input to prevent unauthorized access to object references.
Spring_boot Implement proper access control checks in the Spring Boot application. Use Spring Security to authenticate users and check if they have the required permissions or roles before granting access to a resource. Additionally, employ the principle of least privilege, ensuring users can only access resources that are necessary for their role. For each API endpoint that accesses user data, verify the logged-in user has the right to access the requested object by comparing the user's ID from the security context with the owner ID of the object.
Flask Implement robust access control checks within Flask route handlers to verify that the requesting user has the necessary permissions to access or modify the requested resource. Use Flask's 'before_request' or 'after_request' decorators to create a centralized authorization mechanism. Additionally, employ Flask-Security or Flask-Principal extensions to manage user roles and permissions effectively.
Nuxt In Nuxt.js, to remediate Broken Object Level Authorization, ensure that user permissions are properly verified on the server-side for each request that accesses a sensitive object. Implement robust access control checks using middleware or within your API logic to confirm that the requesting user has the necessary rights to perform the action on the specific resource. Additionally, avoid using sequential or predictable object IDs, and consider using UUIDs to make it harder for attackers to guess object identifiers. Always enforce the principle of least privilege, granting users the minimum access necessary to perform their tasks.
Fastapi In FastAPI, to remediate Broken Object Level Authorization (BOLA), ensure that proper access control checks are in place before allowing users to access or modify a resource. Implement function-based or role-based access control (FBAC/RBAC) using FastAPI dependencies to verify that the current user has the necessary permissions for the requested action. Additionally, use scoped tokens or API keys to limit access to resources based on the user's role or scope. Always validate that the user is authorized to access the specific object by checking ownership or permission levels against the user's credentials.
Frappe Implement access control checks at the object level to ensure users can only access resources they are authorized to view or modify in the Frappe framework.
Genzio Implement strict access control checks in the Genzio framework engine to ensure that users can only access resources they are authorized to view, and validate object references on the server side to prevent unauthorized access.
Gin Implement middleware to enforce access control checks for each request, ensuring that users can only access resources they are authorized to interact with.
Gorilla Implement middleware to enforce access control checks for each request to ensure users can only access resources they are authorized to view.
Hapi Implement access control checks in hapi route handlers to ensure users can only access resources they are authorized to, and validate user permissions before processing requests.
Hono Implement strict access control checks in the Hono framework engine to ensure that users can only access resources they are authorized to interact with, and validate all user inputs to prevent unauthorized access through manipulated key values.
Jersey Implement access control checks at the object level in the Jersey framework to ensure that users can only access resources they are authorized to. Use annotations or interceptors to enforce these checks consistently across your application.
Koa Implement middleware to enforce strict access control checks on all object references and ensure that users can only access resources they are authorized to view.
Ktor Implement access control checks at the object level in Ktor by verifying user permissions before processing requests to ensure that users can only access resources they are authorized to.
Leptos Implement access control checks at the object level to ensure that users can only access resources they are authorized to interact with in the Leptos framework.
Macaron Implement access control checks at the controller level to ensure users can only access resources they are authorized to view in the Macaron framework.
Phoenix Implement access control checks at the controller level to ensure users can only access resources they are authorized to view in the Phoenix Framework.
Redwoodjs Implement access control checks in RedwoodJS services to ensure users can only access resources they are authorized to, and validate user permissions before performing any data operations.
Rocket Implement strict access control checks in Rocket framework by validating user permissions for each object request to prevent unauthorized access.
Sveltekit Implement server-side access control checks to ensure that users can only access resources they are authorized to view in your SvelteKit application.

Configuration

Identifier: access_control/bola

Options

  • threshold_res : Rate of correct responses to an argument being enumerated to raise an alert.
  • threshold_enum : Rate of iterable values of a field to be considered iterable.

Examples

Ignore this check

checks:
  access_control/bola:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API1:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.8
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.9.4
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 863

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1