# Broken object level authorization (BOLA)

### Broken object level authorization (BOLA)

Is when an application allows an attacker to access a resources he is not authorized (allowed) to view it's also known as Insecure Direct object refrence (IDOR)

I will use crAPI to demonstrate this vulnerability which you can download and install using this link

{% embed url="<https://github.com/OWASP/crAPI>" %}

by testing the refresh location functionality to get vichele location&#x20;

<figure><img src="/files/PRuozkfprLzgJnGSdxKg" alt=""><figcaption><p>figure 1 : testing refresh function</p></figcaption></figure>

reviewing the GET request in burpsuite, it's noticed that the application sends get request to the API endpoint /identity/api/v2/vehicle/<mark style="color:red;">e32bd7d4-8354-4861-8d02-c5bb9aec0072</mark>/location and passing to it the vehicle id, and the application responds with vehicle location latitude and longitude.

<figure><img src="/files/swETcyemuthAlMypD837" alt=""><figcaption><p>figure 2 : application request to API</p></figcaption></figure>

So it's worth trying to send a request with other user vehicle id to see whether the application will respond with the location of the other user car, or it will respond with not authorized.

after a little investigation you will find that the community section sends a GET request to the endpoint /community/api/v2/community/posts/recent and the endpoint responds with not only the user posts but also users car id

<figure><img src="/files/lHfV64DrRjTGtVIvyLDz" alt=""><figcaption><p>figure 3: the community section</p></figcaption></figure>

reviewing the GET request.

<figure><img src="/files/tARZHquJ9NBvuwbgv9GW" alt=""><figcaption><p>figure 4: application request to api</p></figcaption></figure>

So we now have an ID of a vehicle of different user, let's try to send it to t /identity/api/v2/vehicle/<mark style="color:red;">CAR-ID</mark>/location to see if it retrieved the car information while we are not authorized to do so.

<figure><img src="/files/8vY2vbPaSd1Bd2Jr0Ke1" alt=""><figcaption><p>figure 5: application BOLA vulnerability</p></figcaption></figure>

So, by reviewing the application response it responded with user robot car location however I'm not authorized as I'm logged in as user mohab.

#### Conclusion

in BOLA vulnerability an API responds with data without checking if the user requesting data is authorized to request it.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xk3rypton.gitbook.io/0xk3rypt0n-blog/penetration-testing/webapp-pentest/api-testing/authorization-attacks/broken-object-level-authorization-bola.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.