Skip to content

Broken Object Level Authorization Analyzer

Configuration Name: BrokenObjectLevelAuth

Description

Object level authorization is an access control mechanism that is usually implemented in the application logic (at the code level) to control which users may perform actions on a particular object (identified by some unique identifier).

Broken Object Level Authorization (BOLA) or Insecure Direct Object Reference (IDOR) refers to improper implementation of the access control mechanism, in which case an API client may access information which it is not authorized to access. Failures in this mechanism typically leads to unauthorized information disclosure, modification, or destruction of all data. OWASP classifies Broken Object Level Authorization as the #1 Security Vulnerability in its API Security Top 10 (API1:2019).

The BrokenObjectLevelAuth analyzer validates two kinds of object-level authorization.

  • If an object can be accessed using authorization and without authorization, then a finding will be reported.
  • If an object can be created by one user and accessed by a different user, then a finding will be reported (principle of least privilege).

Configuration Parameters

The BrokenObjectLevelAuth analyzer has one optional configuration parameter that may be specified when using the analyzer in a configuration.

  • unauthorizedUsers: This property configures authorization tokens that BrokenObjectLevelAuth analyzer uses to check whether a target application correctly implements an authorization policy. BrokenObjectLevelAuth will attempt requests using the provided authorization credentials of the specified unauthorized users, and expects the requests to not succeed.

    The unauthorizedUsers property is map of user identity ID to an identity configuration that is not authorized to make requests. The user identity ID is a user-specified name for a user identity. The identity configuration has the same schema as the virtual users in a Target. Note that when Sift runs a dynamic authorization command specified in this section, the value of environment variable SIFT_TARGET_URL will be empty string unless the targetUrl property is set explicitly.

    One or more unauthorized users may be configured. If unauthorizedUsers is not present, then BrokenObjectLevelAuth attempts requests using users defined for the Target (i.e., in targets[].authorization) other than the user of the baseline request.

For example, to use a script unauthorizedToken.sh that prints HTTP authorization headers to standard output, configure BrokenObjectLevelAuth as follows.

testProfile:
  analyzers:
    - kind: BrokenObjectLevelAuth
      unauthorizedUsers:
        myUnauthorizedUser1:
          kind: dynamic-http-header
          command: unauthorizedToken.sh
          timeout: 120

Faults Reported

Fault Identifier Title Summary Solution Severity
CWE-639 Authorization Bypass Through User-Controlled Key An application's authorization functionality does not prevent a client from performing actions on an object that the client is not authorized to access. Review the implementation of access control in the application. high, medium