Broken Object Level Authorization (BOLA) is a critical security vulnerability that occurs when unauthorized access to other users' resources is possible by simply changing part of a request - e.g. changing a bank account number in a URL, to access another user’s data or resources.
You can use Snyk API & Web to test your APIs against this type of vulnerability by configuring the API target authentication and setting up 2 different users.
Setting up your target to be tested against BOLA vulnerabilities involves two steps:
Configure and enable API Target authentication
Select the appropriate scan profile
This article describes these steps in detail.
Step 1: Configure and enable API Target authentication
To configure the API Target authentication, do the following:
Identify the OpenAPI target you want to test and, either from the list of Targets or from the Target details, click on the cogwheel icon to access its Settings. Doing so should send you to that target’s settings, with the Authentication tab already selected:
Locate the API TARGET AUTHENTICATION module in that page:
Choose between Authentication payload or Static headers/cookies, and follow the instructions below.
Authentication Payload
If you want to configure Authentication Payload, do the following:
After choosing the Authentication payload option, select the Authentication media type of the payload/request to the authentication endpoint.
Type the authentication URL in the Login URL field.
In the Authentication payload, type the authentication content to send in the payload of the POST request to the Login URL.
Click Fetch to authenticate, and confirm the results in the response field below. At the same time, the Token selector dropdown is filled with a list of fields obtained in the authentication response.
Check the “Add additional user for authorization testing” checkbox and configure the authentication payload for the second user. Please note that, to reduce false positives, the second user should have the same level of privileges as the first user, or lower.
In the Token selector, choose the field that contains the authentication token.
In the Place token in, choose where to place the token in the API requests. In most cases, the token is placed in the header. The other option is cookie.
In the Field name, enter the name of the field in the header or cookie that will hold the token.
Optionally, set a Value prefix for the token value. This is often needed for JWTs. For instance, if your API requires you to send a header like:
Authorization: JWT <token>, set the following values:Field name:
Authorization
Without the colon (:) separator.Value prefix:
JWT
Remember to add a space at the end so that the JWT and the token are properly separated.
Click on Save and enable.
The settings are saved and API target authentication is enabled for Snyk API & Web to access and scan your application.
You can disable/enable this authentication anytime with the Off/On toggle button or delete the configuration using the Delete button.
Configure Static headers/cookies
If you want to configure static headers and/or cookies, do the following:
After choosing the Static Authentication Headers/Cookies option, fill out the respective name and value pair and click on the Add button.
Check the “Add additional user for authorization testing” checkbox and configure the Static Authentication Headers/Cookies for the second user. Please note that, to reduce false positives, the second user should have the same level of privileges as the first user, or lower.
Click on Save and enable.
The settings are saved and API target authentication is enabled for Snyk API & Web to access and scan your application.
You can disable/enable this authentication anytime with the Off/On toggle button or delete the configuration using the Delete button.
Step 2: Select the appropriate scan profile
After configuring the OpenAPI target authentication, choose the appropriate scan profile. To do so:
Access the Profile tab of that target’s settings:
Choose either the "API normal" or "API full" scan profiles.
Once both sets of users are configured for OpenAPI targets and the appropriate scan profile is selected, Snyk API & Web will test against BOLA vulnerabilities.
Does the privilege level of the users matter?
Yes. The 2nd user (the attacker) should not have access to the 1st user’s resources.
The two users can have different privilege levels (e.g., admin vs. regular user), or they can have the same level — as long as the 1st user owns resources that should not be accessible to the 2nd. That's what allows us to test for BOLA vulnerabilities.
Ideally, the 1st user has multiple and varied private resources, so attempts by the 2nd user to access them can effectively reveal access control flaws.