Hello everyone.

This write-up will be about Broken Object Level Authorization (BOLA), which is #1 topic of API Security 101 (OWASP). I will also consider a case where I found this vulnerability. Well, without further ado, let’s get it started.

What is Broken Object Level Authorization (BOLA)?

Broken Object Level Authorization (BOLA) relies on the ability of a sensitive request sent by a user on the application to be accessed by other resources. This is often the result of missing/incorrect access controls by the developers. Technically it can basically be likened to IDOR. When this security configuration is not done correctly, it has a wide attack surface (from information disclosure to account takeover).

As can be seen from the image, if we try to make a typical attack scenario, it will be like this:

• The victim and attacker will be given specific identities by the API and given access to their sensitive data. (https://redacted.com/exposed/v1/profiles/self-id)
• The attacker will notice the weakness in the API and will be able to access the victim’s PII data using the victim’s user-id. (https://redacted.com/exposed/v1/profiles/target-id)

However, these user-specific variables do not always need to be kept in the GET request. Some APIs may also carry user-specific variables in the POST request. In some cases, the vulnerability API may be configured based on more than one control point.

A BOLA case in Topcoder

Depending on this situation, I will tell you about the vulnerability I found in Topcoder. This vulnerability will be about multiple checkpoints on an API. (This report was made public on hackerone: https://hackerone.com/reports/1073420)

When I started looking for a vulnerability on Topcoder, I first created an account on topcoder.com, while I was checking all HTTP requests via Burp, I noticed my forum user-id information during membership opening, I could also access this value in the source code of member page. Also when I entered the profile of any other user, I could see the forum user-id.

I couldn’t find much on the main site and started looking for sub-domains (I sent some reports but duplicate :/) I got the subdomains list and decided to analyze the Topcoder forum. (apps.topcoder.com/forums). It was using my account directly on the main site. So, my PII information on the main site was also valid for my forum account.

After browsing the forum for a while, I entered a thread and noticed the “Watch Thread” part. I opened the Intercept and started reviewing the requests.
An API from a different host was sending a POST request without an Authorization header. In this case, I decided to take a closer look at the API and some information in the POST data caught my attention. It was taking an ID information defined by the API (I guess) in the header of the request and my forum user-id in the data section. In the response section, I could see my email, name-surname and account_id that were not reflected in my Topcoder profile.

I immediately created another user and changed my Topcoder ID in the data section. However, nothing changed. The API was taking multiple values ​​and could be using all of them to control the user.
The ID reflected in the header of the request caught my attention, I changed the last digit with another letter and at the same time I replaced my Topcoder id with the victim’s Topcoder id and sent the request.

BINGO! I was able to access the target’s PII information. The API was trying to authenticate the target user using multiple checkpoints. However, this information was publicly displayed on Topcoder.com and the ID given by the API reflected sensitive data when changed to a random value.

Topcoder confirmed this vulnerability and rewarded me with $$$.

Resources:
https://blog.shiftleft.io/api-security-101-broken-object-level-authorization-fe8720c779ec

https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa1-broken-object-level-authorization.md

Thanks!!

Twitter: https://twitter.com/canmustdie