Description

Horizontal Broken Object Level Authorization (BOLA), also known as Insecure Direct Object References (IDOR), is a security vulnerability that occurs when an application fails to properly enforce access controls, allowing users to access or modify resources belonging to other users with the same privilege level.

Remediation

To mitigate this vulnerability: 1. Implement proper authorization checks for every access to a resource. 2. Use indirect reference maps or strong, server-generated identifiers instead of direct object references. 3. Implement the principle of least privilege. 4. Use session-based authentication and authorization for all sensitive operations. 5. Regularly audit and test access control mechanisms.

References

API1:2023 Broken Object Level Authorization

Related Vulnerabilities

Vertical IDOR/BOLA (Broken Object Level Authorization)

ProjectSend Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2024-7658)

WordPress Plugin LearnDash LMS Insecure Direct Object Reference (4.6.0)

Vertical Broken Function Level Authorization (BFLA)

Magento Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2019-7925)

Severity

High

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Bola