Posts filtered by tag:

Business Logic

Dan Barahona
API Security

What is Broken Object Level Authorization (BOLA) and How to Fix It

With APIs projected to become the main attack vector in 2022, companies that downplay the importance of API security risk making the headlines as the next victim of a major data breach—losing customer trust for years to come. While most API threats are relatively easy to catch using vulnerability scanners, some can remain undetected for years. This makes them a ticking time bomb until bad agents spot them. Today, we're going to cover one of them. Broken Object Level Authorization (BOLA) vulnerabilities sit at the top of the OWASP API Security Top 10 list. Why is that the case? Keep reading to find out the answer and learn how to protect yourself from it. What is Broken Object Level Authorization, and Why Is It #1 on the OWASP Top 10 List? Object-level authorization is a security measure that controls which users can access which objects, be it database records or files. For example, a user might be allowed to view specific files but not edit or delete them. Broken object-level authorization (BOLA) vulnerabilities occur when a user is able to access other users' data due to the flaws in authorization controls validating access to data objects. BOLA vulnerabilities are often caused by insecure coding practices, such as failing to properly validate user input or check permissions before granting access to an object. This happens when an API uses overly permissive access controls or when API resources are not properly protected. BOLA vulnerabilities lead to devastating data breaches and other ramifications. The USPS hack, one of the largest data breaches in history, happened because of, you guessed it, broken access controls. “The USPS hack is a classic example of a broken authorization vulnerability. User A was able to authenticate to the API and then pivot and access user B’s and 60 million other people’s information.”- Dan Barahona, Head of Marketing at Biz Dev at APIsec How to Protect Your APIs from BOLA Vulnerabilities Since BOLA vulnerabilities are the most dangerous cluster of API threats, companies need to take proactive steps to prevent them. Here are the most effective ones. 1. Enforce Robust Authorization Mechanisms Enforcing robust authorization mechanisms is the first step any organization should take to combat BOLA vulnerabilities. Many organizations think their APIs are secure because they have strong authentication. But that's not really going to help a whole lot when it comes to BOLA vulnerabilities. To keep your APIs safe, you need strong authentication mechanisms, but the bigger challenge is ensuring you've got well-controlled authorization policies that you are testing rigorously and continuously to make sure they're free of logic flaws or loopholes.2. Use Random Universally Unique Identifiers (UUIDs)The next step is redefining how you approach the process of generating and managing IDs within your API ecosystem. Auto-incrementing IDs absolutely have to go. As an alternative, use random IDs when creating and accessing APIs. These IDs, commonly referred to as UUIDs, are designed specifically to be difficult for cybercriminals or unauthorized users to guess. UUIDs are made up of a combination of letters, numbers, and symbols that have no inherent meaning or pattern, making them virtually impossible to guess or reverse-engineer. Using UUIDs minimizes the risk of malicious tampering, one of the root causes of BOLA vulnerabilities.3. Laser-focus on Your Business Logic Layer BOLA vulnerabilities are so tricky because they often lurk in the business logic layer of your APIs. The implications? It means that BOLA vulnerabilities typically occur due to the flaws in the design of the legitimate functionalities of your APIs rather than bad agents using complex exploits to break into your systems. That's why it's critical to meticulously test your business logic layer to spot vulnerabilities that are impossible to reliably address upon each release with vulnerability scanners. “BOLA is already #1 on the OWASP API Security Top 10 list - and for good reasons. API providers do a great job at making sure that users are authenticated to the API, so they want to make sure that legitimate users have access. But the number one thing that's often overlooked is authorization, ensuring that user A can't access user’s B resources. And it's one thing to hide the resource IDs, but the important factor there is that user A should not be able to access, interact with, or alter user B's resources - at all.”- Corey Ball, Cybersecurity Consulting Manager and Author of "Hacking APIs"4. Implement the Zero-Trust Security Model Enforcing the zero-trust security model is another step organizations typically take to protect APIs from BOLA vulnerabilities. In a traditional security model, authorized and authenticated users are trusted by default. However, in the zero-trust security model, all users must be authenticated and authorized before accessing any resources. Additionally, the authorized users are constantly monitored to prevent insider threats. Based on this model, each API call must be authenticated and authorized before it can be executed. Once the user has been authenticated, the authorization mechanisms in place determine whether the user is allowed to access the requested resource. If the user is not authorized, then the API call will not be executed, making it more difficult for attackers to exploit BOLA vulnerabilities.5. Ensure Continuous API Security Testing This is arguably the most effective way to protect APIs from BOLA vulnerabilities. However, here's the rub. Traditional API security testing tools aren't reliable since vulnerability scanners don't take into account the unique architecture of your API while pen testing is impossible to scale to ensure full coverage with each update. This is where APIsec comes into play. APIsec is an industry-leading solution that leverages the power of AI to dissect your API and generate custom-tailored attack scenarios aimed at identifying business logic vulnerabilities. APIsec is the only reliable way to automatically secure your API from BOLA vulnerabilities and, most importantly, business logic flaws while ensuring full coverage and eliminating human error. Sounds too good to be true? Get in touch with our team today to get a free demo.
May 11, 2022
6 mins
Dan Barahona
Business Logic

How to Address Business Logic Flaws During Application Design

Business logic vulnerabilities often go undetected for years. Nothing makes cybercriminals happier than an application with vulnerabilities they can exploit without any special tools—simply working within the normal functionality of the app. Since most vulnerabilities are exposed in the development phase, catching them during the design phase will require new strategies beyond what has been the industry norm. “Without proper testing, you’re leaving those APIs exposed and just ripe for the picking.” - Corey Ball, Cybersecurity Consulting Manager & Author of "Hacking APIs" We’ve identified common business logic flaws and provided our top tips for eliminating them during application design. 1. Ensure Proper Authorization and Authentication Measures From Day 1 Attackers often gain access to sensitive data through vulnerabilities in authentication and authorization resources that they should not have access to. Here are the most common business logic flaws associated with this cluster of API threats and how you address them from the start: Unprotected APIs: Implement stringent authorization and authentication for all internal and staging APIs so they can’t be compromised to pivot to other systems. Weak credential policy: Restrict the use of insecure or previously exposed passwords to guard yourself against automated brute force attacks. Flawed credential recovery process: Ensure that permit recovery or credential reset can’t be triggered with insufficient information. Broken authentication: Make it impossible to view, modify, or remove the data of another account without the corresponding user privileges. Read More: API Security Checklist: What You Need To Know 2. Eliminate Data Input And Client-Side Loopholes Malicious attackers can alter a database query without using any exploits to make the application execute unauthorized commands. To combat this, we recommend evaluating the most common business logic flaws related to data input and client-side vulnerabilities. Critical parameter manipulation: Inspect HTTP request parameters (the values sent in the request body) to make it impossible to tamper them to query the database. Cookie tampering: Encrypt session and cookie data to prevent the attacker from reverse engineering business logic and modifying cookie parameters to launch a privilege escalation attack. LDAP injection attacks: Check LDAP parameters for any business logic flags to prevent bad actors from changing them to bypass the business layer. Client-side vulnerabilities: Examine your business routines embedded in JavaScript, Flash, or other client-side languages. Read More: Drilling Down Into Excessive Data Exposure: How to Protect Your APIs Sensitive Data 3. Eliminate Logic Flaws From Processes and Workflows When application workflows or processes have design flaws built into the business logic, users short-circuit them in unintended ways to bypass security checks and gain unauthorized access to data and functionalities. That’s why it's essential to meticulously test every action and task the user can perform to uncover potential loopholes. These business logic vulnerabilities would be a great starting point: Business constraint exploitation: Ensure that no hidden user fields contain values that control the constraints or restrictions defined by the business logic layer. Business flow bypass: Break down your application workflows to verify steps can’t be hijacked, skipped, or bypassed to perform a certain task. Denial of Services (DoS) with business logic: Check for the possibility of short-circuiting processes with infinite loops to overload or crash the system. Auto-increment IDs: Graduate from using automatically-incrementing identifiers when generating database records to make it impossible for the attacker to automatically harvest all of your records should you find your defense lines compromised. Read More: What Is API Privacy and How to Protect Your Sensitive Data 4. Ensure Critical Data Is Secured APIs and web applications often leak credentials and sensitive data without an organization ever knowing it happened. By following these best practices, you help to ensure that your API is secure: Identity extraction: Examine the parameters that control user profiles and make it impossible for the attacker to reverse engineer or guess tokens to harvest user data. Getting entire database objects: Ensure that the server returns only the values requested by the user, not entire database objects. Never leave data filtering to the client. Unauthorized file URL access: Dissect the mechanisms that generate temporary links to restricted files to ensure they can’t be reverse-engineered or hijacked with a custom API call. Read More: How Improper Assets Management Leaves Your APIs Vulnerable to Attacks The Only Automated API Security Testing Tool that Detects Business Logic Flaws Armed with this list, you will drastically reduce the likelihood and severity of data breaches caused by this vulnerability cluster. APIsec is the only fully automated API security testing solution that identifies business logic vulnerabilities at scale. By automating the process of identifying these flaws, APIsec helps organizations protect their applications and data from being compromised. If you want to learn more about how APIsec can help you identify and fix business logic flaws, contact us for a free demo.
April 10, 2022
5 min read