BOLA & IDOR: API Security Research Lab

🎯 Executive Summary

This laboratory explores Broken Object Level Authorization (BOLA), categorized as the #1 threat in the OWASP API Security Top 10. Unlike simple IDOR, this lab demonstrates how modern REST APIs can be vulnerable even when authentication is present, by trusting client-side JSON payloads to determine resource ownership.

🏗️ Technical Architecture

1. The Vulnerable API (bola_api.py)

The system features a profile update endpoint that verifies a user's session token but fails to perform an Object-Level Authorization check. It blindly accepts the user_id from the request body to perform database writes.

2. The Exploit Engine (bola_exploit.py)

The exploit script simulates a low-privilege "Guest" user. By manipulating the JSON payload, it attempts to modify the email address of the SuperAdmin (ID: 1), effectively achieving an Account Takeover (ATO).

---

🛡️ Remediation & Architectural Defense

The lab demonstrates a transition from vulnerable to secure architecture by implementing Server-Side Authorization Claims:

1. Token-Based Truth: Instead of trusting the request body, the server extracts the actual_user_id from a secure, signed authorization token.
2. Ownership Validation: A logic gate is implemented to ensure the actual_user_id from the token matches the target_id being modified.
3. Security Monitoring: Implementation of logging for unauthorized cross-user access attempts (as seen in the [SECURITY ALERT] logs).

Secure Code Snippet:

if actual_user_id != target_id:
    # Reject request if the user does not own the resource
    return jsonify({"error": "Forbidden"}), 403

🚀 Proof of Concept (PoC)

Upon running the exploit against the remediated server, the attack is neutralized:

Server Log: [SECURITY ALERT] User 3 tried to modify User 1!

Client Response: 403 Forbidden

🛠️ Laboratory Execution Steps

Phase 1: Environment Setup

1. Clone the repository:

   git clone [https://github.com/abhinandanpandey-in/BOLA-API-Exploit-Lab.git](https://github.com/abhinandanpandey-in/BOLA-API-Exploit-Lab.git)
   cd BOLA-API-Exploit-Lab

2. Initialize Virtual Environment:

python -m venv venv
source venv/bin/activate  # On Windows: .\venv\Scripts\activate
pip install flask requests

Phase 2: Simulating the Vulnerability

1. Start the API Server:

 python bola_api.py

2. Execute the BOLA Exploit: In a separate terminal, run:

python bola_exploit.py

3. Observe the Breach: The exploit script will attempt to modify the email of User ID 1 (Admin) while authenticated only as User ID 3 (Guest).

Phase 3: Verifying the Architectural Defense

1. Analyze the Security Logic: Review the secure_update() function in bola_api.py. The server now extracts the actual_user_id from the Authorization header and compares it against the user_id in the JSON payload.

2. Observe the Blocked Attack: When the exploit is run against the remediated code, the server console will trigger: [SECURITY ALERT] User 3 tried to modify User 1

3. HTTP Response: The attacker receives a 403 Forbidden status code, confirming that the Object-Level Authorization check is functional.