Rethinking Broken Object Level Authorization Attacks Under Zero Trust Principle

TL;DR

This paper introduces BOLAZ, a zero trust-based framework that analyzes data flow in RESTful APIs to detect and prevent Broken Object Level Authorization attacks, improving security by identifying vulnerabilities and establishing authorization boundaries.

Contribution

BOLAZ is the first authorization-guided defense method that adapts rules based on system authorization logic, using static taint tracking to improve BOLA attack detection.

Findings

Effectively defends against BOLA vulnerabilities in 10 GitHub projects.

Discovered 35 new BOLA vulnerabilities in real-world applications.

Demonstrates practical applicability and effectiveness of BOLAZ.

Abstract

RESTful APIs facilitate data exchange between applications, but they also expose sensitive resources to potential exploitation. Broken Object Level Authorization (BOLA) is the top vulnerability in the OWASP API Security Top 10, exemplifies a critical access control flaw where attackers manipulate API parameters to gain unauthorized access. To address this, we propose BOLAZ, a defense framework grounded in zero trust principles. BOLAZ analyzes the data flow of resource IDs, pinpointing BOLA attack injection points and determining the associated authorization intervals to prevent horizontal privilege escalation. Our approach leverages static taint tracking to categorize APIs into producers and consumers based on how they handle resource IDs. By mapping the propagation paths of resource IDs, BOLAZ captures the context in which these IDs are produced and consumed, allowing for precise identification of authorization boundaries. Unlike defense methods based on common authorization models, BOLAZ is the first authorization-guided method that adapts defense rules based on the system's best-practice authorization logic. We validate BOLAZ through empirical research on 10 GitHub projects. The results demonstrate BOLAZ's effectiveness in defending against vulnerabilities collected from CVE and discovering 35 new BOLA vulnerabilities in the wild, demonstrating its practicality in real-world deployments.