BOLA is Super-Contagious

Given the choice of having IDOR or BOLA, which do you think is preferred? The correlation of Ebola Virus Disease aside, it should be noted that both IDOR and BOLA are one in the same. IDOR (Insecure Direct Object Reference) and BOLA (Broken Object Level Authorization) are abbreviations reserved for manipulating object ID’s via API’s in web applications.

But what does that really mean? Without getting overwhelmed with the details, an attacker can use legitimate access to an API to run queries and expose object ID’s and associated data that is using a predictable identifier. These types of techniques have been used in several different attacks over the years, and now BOLA finds itself at the top of the OWASP top Ten and it is being used to exploit web applications reapetedly.

Why does this matter right now? The level of complexity to find a BOLA is relatively low, and so the fact that it prevalent through applications means that there is some money to be made in finding and fixing this vulnerability. Those new to cybersecurity could use this opportunity to take advantage of low-hanging fruit, while earning experience and money hunting down these threats in the form of bug bounties and responsible disclosure.

Leave a Reply

%d bloggers like this: