Broken Object Level Authorization vulnerability detection

A Broken Object Level Authorization (BOLA) vulnerability is where an application or API fails to properly verify if a user has permission to access specific data.

Bugs in the application or API allow attackers to bypass authorization checks and access potentially sensitive information by manipulating and iterating through object identifiers.

Vulnerabilities can occur at any time, including in the original application's deployment. However, changes or upgrades to authentication and authorization policies can also introduce these bugs.

BOLA vulnerabilities are as dangerous as an account takeover. Successfully exploiting a BOLA vulnerability allows the attacker to access or change data that they should not have ownership over.

Cloudflare labels endpoints with BOLA risk when we detect two distinct signals common with attacks exploiting BOLA: Parameter pollution and Enumeration.

• Parameter pollution: Cloudflare detects anomalies where one or more successful requests containing a value in an expected path, query string or header have that value duplicated in an unexpected, similar location.

  This behavior may be indicative of attackers trying to confuse the API’s authorization system and bypass security controls.

• Enumeration: Cloudflare continually profiles all sessions on a per-endpoint basis and detects anomalous sessions that successfully request many unique data points from an API endpoint against what is normal.

Note

Sessions that have more random behavior or repetition have a higher chance of triggering an alert.

The BOLA enumeration label requires an endpoint to have seen at least 10,000 sessions before being eligible for outlier detection.

Examples

Parameter pollution attack

Endpoint: GET /api/v1/orders/{orderId}

• Normal behavior: orderId sent in a path variable like GET /api/v1/orders/12345
• Attacker behavior: orderId is also sent as a query parameter, triggering old, undocumented code that looks for orders in the query parameter and happens to lack an authorization check: GET /api/v1/orders/12345?orderId=67890
• Result: By passing in a bogus order or an order that the attacker owns (12345), they are able to trigger the old, undocumented code and access an order that they do not own (67890)

BOLA enumeration attack

Endpoint: GET /api/v1/users/{userId}/credit-cards

• Normal behavior: Users request credit cards using only their own userId.
• Attack behavior: Attackers request hundreds of userId values per session by brute-force iterating through userIds found via other methods.
• Result: If the authorization policy is broken for this endpoint, the attacker gains credit card information on every user account they request it for.

Process

For beta customers, API Shield searches for and highlights BOLA attacks on your APIs. Cloudflare learns visitor traffic patterns over time to know when API access to specific objects is likely a BOLA enumeration attack. We inform you what API endpoints are being targeted by automatically labeling them using the following risk labels:

cf-risk-bola-enumeration: Automatically added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions.

cf-risk-bola-pollution: Automatically added when an endpoint experiences successful responses where parameters are found in multiple places in the request, as opposed to what is expected from the API's schema.

If you see one of these labels on your API endpoints, check its authorization policy with your developer team to find any authorization bugs. Additionally, you can reach out to Cloudflare for a customized report about the behavior, including attacker identifiers that you can use to confirm attack reach and impact.

Availability

BOLA attack detection is available in a closed beta. Contact your account team if you are interested in BOLA attack detection for your API.