Vertical IDOR/BOLA (Broken Object Level Authorization)

Description

Vertical Broken Object Level Authorization (BOLA), also known as Vertical Insecure Direct Object References (IDOR), occurs when an application fails to verify that a user has the appropriate privilege level to access or modify a resource. Unlike horizontal BOLA where users access resources of peers at the same privilege level, vertical BOLA allows lower-privileged users (such as regular users) to access or manipulate resources that should only be available to higher-privileged users (such as administrators). This vulnerability typically arises when applications rely solely on user-supplied input (like object IDs) without validating the user's authorization level for that specific resource.

Remediation

Implement comprehensive authorization controls to prevent vertical privilege escalation:

1. Enforce Role-Based Access Control (RBAC):
Verify both authentication and authorization for every resource access. Check that the authenticated user's role has permission to access the requested resource.

// Example: Node.js/Express middleware
function checkAdminAccess(req, res, next) {
  const user = req.user; // from authentication middleware
  const resourceId = req.params.id;
  
  // Verify user role
  if (user.role !== 'admin') {
    return res.status(403).json({ error: 'Forbidden: Admin access required' });
  }
  
  // Additional check: verify resource exists and user can access it
  const resource = getResourceById(resourceId);
  if (!resource || !canUserAccessResource(user, resource)) {
    return res.status(403).json({ error: 'Access denied' });
  }
  
  next();
}

2. Implement Attribute-Based Access Control (ABAC):
For complex scenarios, validate access based on user attributes, resource properties, and environmental conditions rather than just user roles.

3. Use Indirect Object References:
Replace direct database IDs with session-specific indirect references or UUIDs that are mapped server-side to actual resources based on user privileges.

4. Apply Defense in Depth:

Validate authorization at multiple layers (API gateway, application logic, and data access layer)
Use allowlists to explicitly define which roles can access specific resources
Implement audit logging for all privileged operations
Deny access by default and explicitly grant permissions only when required

5. Regular Security Testing:
Conduct penetration testing and automated security scans specifically targeting authorization logic. Test with users of different privilege levels to ensure proper access controls are enforced.