OWASP Top 10 API Security Risks – 2023: API1:2023 – Broken Object Level Authorisation

OWASP Top 10 API Security Risks – 2023: API1:2023 – Broken Object Level Authorisation

Application Programming Interfaces (APIs) have become integral to modern software development, enabling seamless communication between different systems and platforms. However, the growing reliance on APIs has amplified security challenges. Among these, the OWASP API Security Top 10 2023 highlights Broken Object Level Authorisation (API1:2023) as a critical vulnerability. For software developers and penetration testers, understanding and mitigating this risk is paramount.

This blog delves deep into the nuances of API1:2023, exploring its mechanics, implications, and strategies to prevent it. By addressing this vulnerability, developers and penetration testers can significantly enhance application security and safeguard sensitive data.

What is Broken Object Level Authorisation?

Broken Object Level Authorisation (BOLA) arises when APIs expose endpoints handling object identifiers without adequate access control measures. This vulnerability allows attackers to manipulate object IDs to gain unauthorised access to data.

For instance, consider an e-commerce application where users can access their order details using an API endpoint like:

GET /api/orders/{orderId}

If the application does not validate whether the requesting user owns the specified orderId, an attacker could exploit this to view or modify another user’s order data by simply guessing or enumerating order IDs.

Key Characteristics of BOLA:

1. Object Identifier Exposure: APIs handling sensitive data based on user-provided identifiers.
2. Lack of Access Control: Inadequate validation of user permissions for requested objects.
3. Exploitation Simplicity: Attackers require minimal effort, often relying on enumeration techniques.

Why Does BOLA Matter?

Impact on Businesses:

• Data Breaches: Unauthorised access to sensitive information can lead to significant financial and reputational damage.
• Regulatory Penalties: Breaches involving personal data often violate regulations like GDPR, resulting in hefty fines.
• Erosion of Trust: Customers expect robust security; any lapse can irreparably harm brand reputation.

Impact on Users:

• Privacy Violations: Exposure of personal data can lead to identity theft and other malicious activities.
• Financial Loss: Manipulation of financial data or transactions could result in monetary theft.

How Does BOLA Work?

Step-by-Step Exploitation:

1. Identify API Endpoints: Attackers enumerate API endpoints using tools like Postman, Burp Suite, or custom scripts.
2. Analyse Object Identifiers: Object IDs (e.g., user IDs, order IDs) are examined for predictability.
3. Manipulate Requests: Modified requests are sent with guessed or enumerated object IDs.
4. Access Unauthorised Data: If no authorisation checks exist, attackers retrieve or modify data.

API Attacks

What Are API Attacks?

API (Application Programming Interface) attacks exploit vulnerabilities in an API’s design, implementation, or management. APIs act as bridges, enabling applications to communicate with each other, often exposing sensitive data and services. This makes them attractive targets for attackers.

Why Are APIs Vulnerable?

1. Increased Exposure: APIs often expose business logic and sensitive data.
2. Rapid Development: Tight deadlines in API development can lead to overlooked security flaws.
3. Complex Architectures: APIs can interact with multiple systems, creating a broad attack surface.
4. Authentication and Authorisation Challenges: Weak implementation of security controls can lead to attacks like Broken Object Level Authorisation (BOLA).

Types of API Attacks

1. Broken Object Level Authorisation (BOLA)

APIs often fail to validate if a user has permission to access specific objects, allowing attackers to manipulate object identifiers to access data.

Example:

In the Snapchat API incident, attackers accessed user data by iterating object IDs due to insufficient authorisation checks.

2. Injection Attacks

Attackers inject malicious input (SQL, JSON, or XML) into APIs to manipulate the backend or extract data.

Example:

An attacker exploits a search API by injecting SQL commands, revealing sensitive customer information.

3. Rate Limiting Abuse

APIs without rate limits are prone to brute force attacks and scraping.

Example:

LinkedIn’s API was abused to scrape data from millions of profiles due to the lack of adequate rate limiting.

4. Cross-Site Scripting (XSS)

Malicious scripts are injected into APIs, often targeting APIs that serve content to web applications.

Example:

A poorly sanitised API endpoint allows attackers to inject XSS payloads, compromising users’ browsers.

5. Broken Authentication

Weak authentication mechanisms allow attackers to impersonate legitimate users.

Example:

Using stolen API keys, attackers gain access to sensitive endpoints, causing data breaches.

6. Mass Assignment

APIs expose internal attributes that attackers manipulate to change object properties.

Example:

An e-commerce API lets attackers change their user role to “admin” by sending unvalidated parameters.

7. Denial of Service (DoS) Attacks

Attackers overwhelm an API with excessive requests, causing it to crash or become unresponsive.

Example:

A payment gateway API becomes unavailable after a DoS attack disrupts its ability to process transactions.

8. Insufficient Logging and Monitoring

APIs that lack robust monitoring mechanisms fail to detect and respond to attacks promptly.

Example:

A BOLA attack goes unnoticed for weeks because API activity logs were not properly implemented.

9. Data Exposure Through Misconfigurations

Misconfigured APIs expose sensitive information unintentionally.

Example:

An open API endpoint reveals customer data because it was left unauthenticated during testing.

10. Lack of Security Standards in Third-Party APIs

Using third-party APIs without assessing their security introduces vulnerabilities.

Example:

A compromised third-party API used in a mobile app leaks user data, affecting the app’s reputation.

Real-World API Attacks

Facebook’s Graph API Breach (2018)

Attackers exploited a vulnerability in Facebook’s Graph API to gain access tokens, compromising 50 million accounts.

Cause:

Improper validation during token reuse.

Impact:

Widespread account takeovers and reputational damage.

Uber API Breach (2016)

Hackers accessed Uber’s API, stealing data of 57 million users and drivers.

Cause:

Hardcoded credentials in a public GitHub repository.

Impact:

Hefty fines and a loss of trust.

Panera Bread API Leak (2018)

An API vulnerability exposed customer names, emails, addresses, and birthdays.

Cause:

Poor endpoint security and lack of encryption.

Impact:

Data exposure affecting thousands of users.

How to Prevent API Attacks

1. Enforce Strong Authentication and Authorisation

• Use OAuth 2.0 for secure token-based authentication.
• Implement fine-grained authorisation checks for all endpoints.

2. Validate Input Rigorously

• Sanitise and validate all user inputs.
• Use libraries that guard against injection attacks.

3. Implement Rate Limiting

• Prevent abuse by setting thresholds for API requests.
• Use IP throttling to mitigate brute force attacks.

4. Employ Encryption

• Use TLS to encrypt data in transit.
• Avoid exposing sensitive data in API responses.

5. Use Security Headers

• Add headers like Content-Security-Policy and X-Frame-Options to harden API responses.

6. Monitor and Audit

• Implement real-time monitoring for anomalous behaviour.
• Maintain detailed activity logs for forensic analysis.

7. Secure Third-Party Integrations

• Assess third-party APIs for compliance with security standards.
• Regularly review API keys and access scopes.

8. Regular Penetration Testing

• Conduct API-specific penetration tests to uncover vulnerabilities.
• Use tools like OWASP ZAP, Burp Suite, and Postman for testing.

Emerging Trends in API Security

1. AI-Driven Threat Detection

AI and machine learning tools can identify unusual patterns in API traffic, helping detect and prevent attacks.

2. API Gateways and Security Brokers

Modern API gateways offer built-in security features like authentication, rate limiting, and threat detection.

3. Shift-Left Security

Embedding security testing into the development lifecycle helps catch vulnerabilities early.

4. Zero Trust Architectures

Adopting a zero-trust approach ensures every API request is thoroughly validated.

Real-World Example:

In 2022, a fintech application’s API allowed users to retrieve transaction details using endpoints like:

GET /api/transactions/{transactionId}

The absence of object-level authorisation checks enabled attackers to access other users’ transactions by manipulating the transactionId parameter.

Mitigating Broken Object Level Authorisation

1. Implement Robust Access Controls

Object-level authorisation checks must be enforced at every endpoint that accesses a data source using user-provided identifiers. This involves:

• Context-Based Validation: Ensure the requester has the appropriate permissions for the requested object.
• Least Privilege Principle: Grant minimal access necessary for performing tasks.

2. Use Secure Coding Practices

Developers should adhere to secure coding principles to minimise vulnerabilities:

• Validate user inputs rigorously.
• Avoid predictable or incremental identifiers.
• Use secure frameworks that enforce authorisation checks.

3. Employ API Gateways

API gateways can serve as a first line of defence:

• Authentication and Authorisation: Gateways can enforce token validation and role-based access controls.
• Rate Limiting: Thwart brute force attacks by limiting request rates.

4. Conduct Regular Security Testing

Security testing is crucial for identifying and mitigating vulnerabilities:

• Penetration Testing: Simulate real-world attacks to uncover flaws.
• Automated Scanning Tools: Tools like OWASP ZAP can help identify insecure endpoints.
• Code Reviews: Peer reviews can detect insecure coding practices.

Practical Tips for Developers

Validate Authorisation in Backend

Relying solely on client-side validation is insufficient. Backend systems must validate every request to ensure proper authorisation.

Implement Object Ownership Checks

For endpoints handling user-specific data, verify object ownership before processing requests.

Secure API Documentation

Publicly accessible API documentation can inadvertently expose sensitive details. Use authentication to restrict access to internal API docs.

Log and Monitor API Activity

Maintain comprehensive logs of API requests and monitor for anomalies, such as repeated access attempts to unauthorised objects.

Real-World Cyber Incidents Involving Broken Object Level Authorisation (BOLA)

1. Facebook User Data Leak (2019)

Overview:

In 2019, a vulnerability in Facebook’s APIs allowed attackers to scrape data from over 500 million user accounts. The attackers exploited a BOLA flaw by using user identifiers exposed in API endpoints to access profiles, including names, phone numbers, and email addresses.

Details:

• Attackers leveraged Facebook’s “Add Friend” API, which lacked sufficient authorisation checks for object access.
• They automated requests with different user IDs, extracting private information at scale.

Impact:

• Affected over 500 million users across 106 countries.
• Resulted in significant reputational damage to Facebook and regulatory scrutiny under GDPR.

Takeaway:

APIs should validate every user action against their authorisation scope, especially for data-rich services.

2. Uber Driver Data Exposure (2016)

Overview:

Uber suffered a BOLA-related incident where attackers gained unauthorised access to sensitive driver information, including trip records and earnings.

Details:

• Uber’s API allowed users to request data using driver IDs.
• Insufficient authorisation checks permitted attackers to iterate through IDs and access data for any driver.

Impact:

• Data of over 600,000 drivers exposed.
• Uber faced legal actions and had to compensate affected individuals.

Takeaway:

Using predictable or sequential identifiers increases the risk of exploitation. APIs should adopt UUIDs and enforce access control for every object.

3. T-Mobile API Flaw (2020)

Overview:

A vulnerability in T-Mobile’s API allowed attackers to exploit BOLA and access personal data, including account numbers, billing details, and contact information.

Details:

• The API exposed account IDs directly in the URL, which attackers could modify to access other users’ data.
• Lack of authorisation checks on object IDs resulted in unauthorised access.

Impact:

• Sensitive information of millions of customers was exposed.
• The incident intensified discussions about telecom security vulnerabilities.

Takeaway:

Secure API design must prevent unauthorised users from directly accessing internal identifiers.

4. Microsoft Power Apps Misconfiguration (2021)

Overview:

A large-scale misconfiguration in Microsoft Power Apps resulted in the exposure of sensitive data for over 38 million users, including vaccination records and personal information.

Details:

• The APIs for Power Apps services allowed public access to object-level data by default.
• Organisations using the platform failed to configure appropriate authorisation controls.

Impact:

• Data from multiple entities, including government agencies and private firms, was exposed.
• Highlighted risks in adopting low-code/no-code platforms without stringent security measures.

Takeaway:

APIs in pre-built platforms require rigorous configuration to prevent unauthorised object access.

5. India’s Aadhaar Breach (2018)

Overview:

A BOLA vulnerability in Aadhaar, India’s national identity system, exposed personal data of over 1.1 billion citizens. Attackers exploited insecure API endpoints to access demographic details and linked services.

Details:

• APIs exposed identifiers such as Aadhaar numbers without proper validation.
• Manipulation of these identifiers allowed attackers to access associated records.

Impact:

• Breach raised concerns about the security of critical infrastructure.
• Led to calls for stricter governance and technological upgrades for Aadhaar.

Takeaway:

Critical systems need multi-layered authorisation and stringent security checks, especially for APIs handling personal identifiers.

6. Shopify Vendor Data Breach (2020)

Overview:

Shopify experienced a breach where attackers exploited a BOLA vulnerability in its partner API to access unauthorised vendor information.

Details:

• Attackers bypassed object-level authorisation by iterating through vendor identifiers.
• Sensitive information, including vendor sales data, was compromised.

Impact:

• Affected hundreds of vendors relying on Shopify’s platform.
• Eroded trust between Shopify and its vendor ecosystem.

Takeaway:

Centralised access control mechanisms, such as API gateways, are critical for platforms with multiple stakeholders.

7. Twitter API Exploit (2022)

Overview:

A vulnerability in Twitter’s API led to the unauthorised exposure of account details for 5.4 million users.

Details:

• The flaw allowed attackers to enumerate account data by manipulating API parameters.
• Lack of proper authorisation checks on object-level requests enabled large-scale data scraping.

Impact:

• Data of prominent users and anonymous accounts leaked.
• Resulted in fines under data protection regulations and damaged Twitter’s reputation.

Takeaway:

APIs handling user-generated content must validate every request and monitor for unusual activity patterns.

8. Snapchat User Data Exposure (2014)

Overview:

Snapchat faced a BOLA attack that exposed usernames and phone numbers of 4.6 million users. Attackers exploited weak object-level authorisation checks in Snapchat’s “Find Friends” API.

Details:

• Attackers exploited sequential user identifiers in the API.
• By cycling through these identifiers, they extracted contact information en masse.

Impact:

• Major backlash from users and regulators.
• The incident highlighted the dangers of predictable identifiers and inadequate access controls.

Takeaway:

Implementing rate limiting, unpredictable identifiers, and thorough authorisation checks is critical for APIs managing user contact information.

9. Tesla API Misuse (2020)

Overview:

A BOLA vulnerability in Tesla’s API allowed unauthorised access to car telemetry and controls, such as unlocking vehicles remotely.

Details:

• Attackers intercepted API traffic and used exposed object IDs to manipulate other vehicles.
• Lack of user-specific validation allowed cross-account access to sensitive commands.

Impact:

• Raised concerns about the security of IoT devices and connected vehicles.
• Highlighted the need for secure object-level access management in automotive APIs.

Takeaway:

APIs controlling physical devices must implement robust authorisation frameworks to prevent misuse.

10. GitHub Repository Exposure (2019)

Overview:

A vulnerability in GitHub’s API exposed private repositories due to insufficient authorisation checks.

Details:

• Attackers used valid session tokens to enumerate repository IDs.
• Lack of object-level access controls allowed them to access repositories belonging to other users.

Impact:

• Sensitive codebases and intellectual property were exposed.
• The breach underscored the importance of securing development and collaboration platforms.

Takeaway:

APIs for collaborative tools should validate every access request to ensure only authorised users can access sensitive resources.

11. LinkedIn Data Scraping (2021)

Overview:

LinkedIn suffered a major incident where attackers used BOLA vulnerabilities to scrape data from 700 million user profiles.

Details:

• Attackers exploited APIs without adequate authorisation checks, targeting publicly accessible user profiles.
• This was combined with automated tools to extract massive amounts of data.

Impact:

• Users’ names, emails, phone numbers, and professional details were leaked.
• Led to increased scrutiny of how social platforms secure their APIs.

Takeaway:

APIs with public-facing endpoints should include comprehensive rate limiting and strict access policies to prevent misuse.

12. Venmo Transaction Data Leak (2018)

Overview:

Venmo, a mobile payment service, experienced a breach where attackers accessed transaction details using a BOLA vulnerability in its API.

Details:

• API endpoints lacked sufficient controls to verify that a user could only access their own transaction history.
• Attackers used this flaw to scrape transaction data for millions of users.

Impact:

• Exposed transaction metadata, including payer and payee details.
• Resulted in widespread privacy concerns and regulatory scrutiny.

Takeaway:

Payment systems must adopt zero-trust principles to ensure object-level controls are rigorously enforced.

13. Google+ API Incident (2018)

Overview:

A flaw in the Google+ API allowed third-party developers to access user profile data without proper authorisation.

Details:

• BOLA vulnerabilities in the API allowed unauthorised access to non-public profile fields.
• Google disclosed that nearly 500,000 users were affected before the service was ultimately shut down.

Impact:

• Amplified privacy concerns, contributing to Google+’s decline.
• Emphasised the importance of auditing APIs for legacy systems.

Takeaway:

Frequent API audits and sunset plans for outdated services are essential for mitigating risks.

14. Firebase Data Exposure (2020)

Overview:

Improperly configured Firebase databases exposed sensitive information of over 30,000 apps. Many incidents stemmed from BOLA issues in API endpoints.

Details:

• APIs for Firebase apps allowed unauthorised queries for objects using predictable IDs.
• Developers often overlooked object-level authorisation when integrating Firebase.

Impact:

• Exposed sensitive user data, including chat histories and payment details.
• Highlighted the risks of default settings in third-party platforms.

Takeaway:

Secure-by-default configurations and developer training are critical when using backend-as-a-service platforms.

15. Postmates Delivery Data Leak (2020)

Overview:

A BOLA vulnerability in Postmates’ API allowed attackers to access delivery information, including addresses and customer details.

Details:

• The API did not sufficiently validate requests for order and user details.
• Attackers enumerated order IDs to scrape delivery records.

Impact:

• Exposed sensitive data of customers, leading to privacy violations.
• Resulted in reputational damage and customer trust erosion.

Takeaway:

Delivery and logistics APIs must enforce stringent authorisation controls to protect customer data.

16. Marriott Hotel Chain Breach (2020)

Overview:

Attackers exploited API vulnerabilities, including BOLA issues, to access Marriott’s reservation system and customer details.

Details:

• The API allowed unauthorised access to reservation data by manipulating booking IDs.
• Attackers extracted guest details, including personal and payment information.

Impact:

• Exposed sensitive data of millions of guests.
• Resulted in hefty fines under GDPR and other regulatory frameworks.

Takeaway:

Hospitality APIs must combine encryption, access controls, and detailed logging to mitigate security risks.

Lessons Learned from These Incidents

1. Authorisation Must Be Object-Specific:
   
   General user authentication is insufficient. APIs must verify that users have explicit permission for each requested object.
   
2. Implement Strong Identifiers:
   
   Avoid sequential identifiers; use UUIDs or hashed identifiers to make object enumeration harder.
   
3. Adopt Defence-in-Depth Strategies:
   
   Layered security mechanisms, including API gateways, monitoring, and logging, can mitigate BOLA risks.
   
4. Perform Regular API Security Testing:
   
   Engage penetration testers to simulate attacks, identifying and addressing vulnerabilities before exploitation.
   

By studying these real-world cases, software developers and penetration testers can better anticipate risks and design APIs resilient to BOLA-related threats.

Insights for Penetration Testers

Identify Unsecured Endpoints

Leverage tools like:

• Burp Suite: For intercepting and modifying API requests.
• Postman: To systematically test endpoint behaviour.

Test for Enumeration Vulnerabilities

Assess whether object identifiers are predictable or easily enumerated. If so, attempt to retrieve unauthorised objects.

Exploit Testing

Simulate attacks by crafting requests with manipulated identifiers and observe system responses. Look for:

• Data Exposure: Unauthorised access to sensitive information.
• Error Messages: Descriptive errors can reveal implementation flaws.

Recommend Remediation

After identifying vulnerabilities, provide actionable recommendations to mitigate risks. This includes enforcing object-level authorisation and implementing secure coding practices.

Key Takeaways Across Incidents

1. APIs Are Prime Targets: APIs expose endpoints that, if misconfigured or inadequately secured, become entry points for attackers.
2. BOLA Is a Common Vulnerability: Object-level authorisation issues frequently appear across industries, from social networks to financial services.
3. Regular Testing and Monitoring: Penetration testing and runtime monitoring can detect BOLA flaws before attackers exploit them.
4. Adopt Least Privilege Principles: Ensure APIs restrict access to only those objects a user is explicitly authorised to access.
5. Developer Awareness: Secure coding practices and training are essential to prevent object-level access issues from the development phase.

By learning from these incidents, organisations can strengthen their API security strategies and reduce the likelihood of BOLA-related breaches.

Final Thoughts

The prevalence of APIs in modern applications necessitates a robust approach to security. Broken Object Level Authorisation (API1:2023) remains a critical concern, but with awareness and proactive measures, its risks can be effectively mitigated.

For software developers, the key lies in implementing rigorous access controls and adhering to secure coding practices. Penetration testers, on the other hand, play a vital role in identifying and addressing vulnerabilities before malicious actors can exploit them.

By understanding and addressing BOLA, organisations can not only safeguard sensitive data but also reinforce trust and compliance in an increasingly API-driven digital landscape. Vigilance and collaboration between developers and testers are crucial to staying ahead in the battle against evolving security threats.

Secure your APIs

Are your APIs secure against BOLA attacks? Collaborate with experienced penetration testers and adopt cutting-edge tools to fortify your APIs. Begin your journey towards robust API security today!

APIs are integral to modern software, but their widespread use comes with significant security challenges. Understanding the types of attacks and learning from real-world incidents is essential for software developers and penetration testers. By adhering to best practices such as strong authorisation, input validation, encryption, and regular testing, organisations can protect their APIs from evolving threats. The key to API security lies in a proactive, layered approach, ensuring APIs remain resilient against even the most sophisticated attacks.