Broken Object Level Authorization

Description

Broken Object Level Authorization (BOLA) is a vulnerability that allows an attacker to access unauthorized resources by manipulating key values. This vulnerability is also known as Insecure Direct Object Reference (IDOR).

Remediation

Use non-sequential identifiers.

Configuration

Identifier: access_control/bola

Options

threshold_res : Rate of correct responses to an argument being enumerated to raise an alert.
- threshold_enum : Rate of iterable values of a field to be considered iterable.

Examples

Ignore this check

{
    "checks": {
        "access_control/bola": {
            "skip": true
        }
    }
}

Score

Escape Severity: MEDIUM
- OWASP: API1:2023
- PCI DSS: 6.5.8
- CWE
  - 284
  - 307
  - 566
  - 639
  - 799
- WASC: WASC-11

CVSS

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
CVSS_SCORE: 5.1

Broken Object Level Authorization

Description​

Remediation​

Configuration​

Options​

Examples​

Ignore this check​

Score​

CVSS​