tests-library/Broken-Object-Level-Authorization/BOLAwithFiles.yaml at 8a1398004b3f6a3e2516b84d0ff525fb3d26b64a · akto-api-security/tests-library · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
id: BOLA_FILE_ACCESS
info:
  name: "BOLA by Accessing Files of other Users"
  description: >
    "This specific test of Broken object level authorization occurs when a user gains unauthorized  access to files belonging to other users within a system. This security vulnerability allows  an attacker to exploit weaknesses in the object-level permissions, bypassing proper access  controls. By doing so, the attacker can compromise the confidentiality and integrity of  sensitive information stored in files, potentially leading to unauthorized data disclosure  or manipulation."
  details: >
    "This type of Broken object level authorization refers to a security flaw where an attacker  gains unauthorized access to files belonging to different users within a system. This  typically happens when object-level permissions are inadequately enforced, allowing an  attacker to bypass access controls and access files they shouldn't. Exploiting this  vulnerability can result in unauthorized data access, potentially compromising sensitive  information and violating data confidentiality and integrity."
  impact: >
    "The impact of broken object level authorization can be severe, leading to unauthorized  access and exposure of sensitive information stored in files. Attackers exploiting this  vulnerability can compromise data confidentiality, potentially leading to privacy breaches  and unauthorized disclosure of personal or confidential data. Additionally, the integrity  of the data may be at risk, as attackers could manipulate or corrupt files, posing a threat  to the overall reliability and trustworthiness of the affected system."
  category:
    name: BOLA
    shortName: BOLA
    displayName: Broken Object Level Authorization (BOLA)
  subCategory: BOLA_FILE_ACCESS
  severity: HIGH
  tags:
    - Business logic
    - OWASP top 10
    - HackerOne top 10
  references:
    - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint"
    - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola"
    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md"
    - "https://cwe.mitre.org/data/definitions/284.html"
    - "https://cwe.mitre.org/data/definitions/285.html"
    - "https://cwe.mitre.org/data/definitions/639.html"
  cwe:
    - CWE-284
    - CWE-285
    - CWE-639
  cve:
    - CVE-2023-39349
attributes:
  nature: INTRUSIVE
  plan: PRO
  duration: FAST

inactive: true
auth:
  authenticated: true
api_selection_filters:
  response_code:
    gte: 200
    lt: 300
  method:
    neq: "OPTIONS"
  response_payload:
    length:
      gt: 0
    not_contains:
      - Error
      - Internal Server
      - Failed
      - Unauthorized
      - access denied
      - Forbidden
      - Method Not allowed
      - Gateway timeout
      - request timeout
      - server error
      - server busy
      - authentication error
      - authorization error
      - validation error
      - Permission Denied
      - invalid token
      - token expired
      - session expired
      - session timeout
      - unexpected error
      - unable to process request
      - bad request
      - service unavailable
      - account is locked
      - account is blocked
      - multiple failed attempts
  or:
    - request_payload:
        for_one:
          key:
            regex: file|document|attachment|saveAsName|File|Document|Attachment|path
            extract: userKey
    - query_param:
        for_one:
          key:
            regex: file|document|attachment|saveAsName|File|Document|Attachment|path
            extract: userKey
wordLists:
  random_ids:
    source: sample_data
    key:
      regex: file|document|attachment|saveAsName|File|Document|Attachment|path
    all_apis: true
execute:
  type: single
  requests:
    - req:
        - modify_body_param:
            userKey: ${random_ids}
        - modify_query_param:
            userKey: ${random_ids}
validate:
  response_code:
    gte: 200
    lt: 300
  response_payload:
    length:
      gt: 0
    percentage_match:
      lt: 10
    percentage_match_schema:
      gte: 90
    not_contains:
      - Error
      - Internal Server
      - Failed
      - Unauthorized
      - access denied
      - Forbidden
      - Method Not allowed
      - Gateway timeout
      - request timeout
      - server error
      - server busy
      - authentication error
      - authorization error
      - validation error
      - Permission Denied
      - invalid token
      - token expired
      - session expired
      - session timeout
      - unexpected error
      - unable to process request
      - bad request
      - service unavailable
      - account is locked
      - account is blocked
      - multiple failed attempts