.png)
6 months ago
33 BOOK THIS SPACE FOR AD
ARTICLE ADOne of the Main components of Security is Authorization and today we will have a look at an Authorization Vulnerability Called BOLA. But before we dive deeper, first we have to understand the difference between authentication and authorization in Cyber Security.
Authentication: the process of verifying that users are in fact who are claiming to be. (Your Facebook account verification as an example.)
Authorization: the process of defining users access permissions to data. Basically, Once you’re logged in what functions do you have the right to perform.
Broken Object Level Authorization (BOLA): When authorization controls are lacking or missing, user A will be able to request User B’s or any other user resources.
When Hunting for BOLA there are three ingredients needed for successful exploitation:
1. Resource ID
2. Requests that access the resources
3. Missing or Flawed access controls
for crAPI we will look first at our Postman collection and dive deeper:
first we will start by making a collection for Authorization attacks and call it crAPI Authorization Attack Collection:
we will add the requests that contains IDs or changeable tokens to the collection:
when searching for authorization vulnerabilities we will use two accounts and perform A-B testing (test B from A)
so we will use postman to register for another user and request it
then we will login with the new account
then we will add this token to our collection
and then we will re-request the location from our collection with the new Bearer token that belong to the other user.
as we can see we were able to see the location of Ama and the Car ID for it.
BOLA can lead to information leakage or requesting things for other users.
Bengali (Bangladesh) · 
English (United States) ·