BLOG

How to Protect APIs from OWASP Authorization Risks: BOLA, BOPLA & BFLA

The OWASP API Top Risks listing identifies three different Authorization challenges 

Coding issues relating to Authorization configuration failures continue to present a significant challenge for development and security teams building and protecting APIs. Just read any issue of our fortnightly APIsecurity.io newsletter and you’ll discover that Authorization-based breaches are at the root of a large percentage of the high-profile attacks. Authorization, in its various flavors, presents challenges because any misconfigurations or vulnerabilities can lead to unauthorized access and harmful data breaches.

In a recent 42Crunch webinar, “Top Things you Need to know about API Security” with Isabelle Mauny and Dr. Philippe De Ryck, we explored why Authorization warrants 3 different entries in the OWASP API Top 10, why it is difficult to get right and how organizations should go about implementing Authorization safeguards.

Figure 1. Authorization entries in the OWASP API Top 10

Authorization Compliance is Complicated

Many APIs are characterized by layers of complexity which inevitably leads to a complicated rules logic. Ensuring that this logic is accurately implemented and determining what the authorization rules should be can be challenging. It is even doubly difficult to check for compliance once the API has been deployed as there is the added time pressure of racing to review and remediate any holes, before the API is potentially attacked. All an attacker requires is one hole from which to build his attack from. This is why building logic into the APIs during the development phase is a recommended best practice.

Philippe De Ryck observed though that when developers are quizzed by security about how they can prove that their Authorization checks work and how they were implemented there tends to be a lot of head scratching and finger crossing. He suggested two ways in which security and engineering developer teams can successfully implement these checks.

  1. Make authorization auditable
  2. Define the authorization rules in the OpenAPI contracts and ensure that the APIs enforce that contract and its rules. 

Make Authorization Auditable at Scale

Authorization is undoubtedly a critical aspect of your overall API security posture. But without the ability to audit authorization checks in your security policies you will have great difficulty in identifying whether developers have implemented the appropriate checks in the correct places.

The best way to do this is to integrate security measures early in the development lifecycle by giving your developers easy to use API audit and scan testing tools that run in their IDEs and help them implement Authorization best practices as they build their APIs. In parallel, you also need to give your security teams real-time oversight via these tools from within the CI/CD pipelines to ensure that the authorization requirements are being adhered to. 

 

Figure 2. 42Crunch audits & scans Authorization checks inside the development IDE

OWASP Authorization Issues

The OWASP API Authorization challenges are identified next and how 42Crunch can help companies address them.

Figure 3.  Different levels of API Authorization: Functional, Object and Object-Property

Broken Object Level Authorization (BOLA)

BOLA relates to a flaw or weakness in the implementation of object-level authorization within an API. It means that the API doesn’t adequately verify and enforce the permissions associated with a specific object, allowing unauthorized users to access or modify it. 

Risk: Attacker substitutes the ID of their own resource in the API call with an ID of a resource belonging to another user. Lack of proper authorization checks allows attackers to access the specified resource. 

Fix:

  • Implement authorization checks with user policies and hierarchy 
  • Don’t rely on IDs sent from the client. Use IDs stored in the session object instead
  • Check authorization for each client request to access the database
  • Use random non-guessable IDs (UUIDs)
  • Implement a robust test framework to specifically test for this vulnerability type leveraging 42Crunch.

Broken Object Property Level Authorization (BOPLA)

This vulnerability occurs when the API fails to properly enforce authorization controls at the property level. It is a combination of two previous OWASP risks, Mass Assignment and Excessive Data Exposure.

Risk: It means that users could gain unauthorized access to or modify specific properties of an object.

Fix:

  • Never rely on client to filter data
  • Review all responses and adapt to what API consumers need
  • Define schemas of all the API responses
  • Don’t forget about error responses
  • Identify all the sensitive or PII info and justify its use
  • Do not automatically bind incoming data to internal objects –  Explicitly define all the expected parameters and payloads – Set readOnly property to true in object schemas for all properties retrieved through APIs that should never be modified – Precisely define the schemas, types, and patterns you will accept in requests at design time and enforce them at runtime.

Broken Function Level Authorization (BFLA)

BFLA refers to a security vulnerability where the API fails to properly enforce access controls on specific functions. Users can perform certain functions or actions for which they do not have the appropriate permissions.

Risk: API relies on the client to use user level or admin-level/privileged APIs as appropriate. Attackers figure out the “hidden” admin API methods and invoke them directly.

Fix:

  • Do not rely on the client to enforce admin/privilege access
  • Apply deny all access by default
  • Only allow operations to users based on appropriate role
  • Implement properly designed and tested authorization

Conclusion
There are tools and techniques designed to mitigate security vulnerabilities at the  earliest stages of design and development so that you reduce the risk and cost associated with late-stage Authorization security issues. The 42Crunch API security platform makes it easy for developers and security teams to continually identify and remediate Authorization vulnerabilities and misconfigurations before deployment.

Further Reading:

Webinar: Top Things you need to know about API Security

Datasheet: Protecting the Enterprise: How 42Crunch Remediates the OWASP API Top 10 Security Risks

Latest Resources

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar
Nov 5, 2024
PST 9am | EST 12pm | GMT 5pm

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protection as attacks on automotive APIs climb within and among vehicle, cloud and mobile  DALLAS and TOKYO, May 29, 2024—VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch  to enhance the security of application programming […]

DataSheet

APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar
Nov 5, 2024
PST 9am | EST 12pm | GMT 5pm

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protection as attacks on automotive APIs climb within and among vehicle, cloud and mobile  DALLAS and TOKYO, May 29, 2024—VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch  to enhance the security of application programming […]

DataSheet

Datasheet Cover Images P1-02

Product Datasheet Addressing API Security Challenges

APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.