DEV Community

Cover image for API Hacking: What is BOLA/IDOR?
Abhinav Singwal
Abhinav Singwal

Posted on

API Hacking: What is BOLA/IDOR?

#bola #cybersecurity #api #apipentesting

Today I want to talk about one of the most common API vulnerabilities.

It's called BOLA (Broken Object Level Authorization).

Broken Object Level Authorization - API BOLA

You might also know it as IDOR (Insecure Direct Object Reference).

Don't let the fancy names scare you. It's actually very simple.

Let me explain.

The Problem

Imagine you live in an apartment building.

Each apartment has a number: 101, 102, 103...

Now imagine the building has no locks. Anyone can walk into any apartment.

That's BOLA.

The API says "here is apartment number 103" but never checks if you live there.

A Real API Example

Let's say you log into a shopping website.

You want to see your order number 1001.

The app sends this request:

GET /api/orders/1001
Enter fullscreen mode Exit fullscreen mode

And you see your order. Great.

Now what happens if you change the number?

GET /api/orders/1002
Enter fullscreen mode Exit fullscreen mode

If you see someone else's order, that is BOLA.

The API trusted you just because you asked. It never checked if the order belongs to you.

Why Does This Happen?

Developers forget to add a simple check.

They should ask: "Does user 123 own order 1002?"

But sometimes they only ask: "Is user 123 logged in?"

Being logged in is not enough. You also need permission to see that specific thing.

How Hackers Find BOLA

It is very simple. You just change numbers or IDs in the request.

Look for these places:

  • GET /api/user/123 -> try 124, 125, 126
  • POST /api/invoice with {"invoice_id": 456} in body -> try 457
  • DELETE /api/post/789 -> try 788, 787
  • /api/download?file=report_1.pdf -> try report_2.pdf

Also try UUIDs like this:

/api/user/550e8400-e29b-41d4-a716-446655440000
Enter fullscreen mode Exit fullscreen mode

Change one letter or number. Sometimes it still works.

Quick Test Method (2 Accounts)

This is how I test for BOLA:

Step 1: Create two accounts (Account A and Account B)
Step 2: Login as Account A, find an order ID or user ID
Step 3: Copy the request
Step 4: Login as Account B
Step 5: Paste the request and change the ID to Account A's ID

If you see Account A's data while logged in as Account B, you found BOLA.

How to Protect Your API (For Developers)

If you build APIs, remember this rule:

Never trust the user. Always check permission.

Every time someone asks for an object, ask two questions:

  1. Is the user logged in?
  2. Does this user own the object?

For extra safety, don't use simple numbers like 123. Use random UUIDs. But even then, still check permissions.

Found this helpful? Leave a like and follow for more API hacking posts.

Questions? Drop a comment below.

Top comments (0)