Virtualization Technology News and Information
VMblog Expert Interview: Putting a BOLO on BOLA: The Ongoing Need for Dynamic API Security Testing


In this VMblog expert Q&A, we spoke with Scott Gerlach, co-founder and Chief Security Officer (CSO) of StackHawk. Today, we dive into the world of application security vulnerabilities, specifically exploring the concept of BOLA vulnerabilities, and shedding light on Software Composition Analysis (SCA) and Static Application Security Testing (SAST). With Scott's extensive experience in the field, we aim to understand the intricacies of these things and gain new insights and discover new perspectives from an industry-leading expert.

VMblog:  What are the shortcomings of SCA and SAST?

Scott Gerlach:  Software composition analysis (SCA) and static application security testing (SAST) offer multiple benefits, but there are a few drawbacks that come with them that make these approaches less appealing, including insecure direct object references (IDOR), broken function level authorization and broken object level authorization (BOLA). The latter of these is particularly dangerous when it comes to APIs, as it introduces opportunities to wreak significant havoc, like remote car function takeovers using just the VIN number.

VMblog:  What is BOLA?

Gerlach:  BOLA is kind of a hard thing to understand, but a simple way to think about it is, can customer A access the assets of customer B. In the software development world, this is also known as tenancy filtering.

VMblog:  What are the potential risks associated with a BOLA vulnerability?

Gerlach:  Malicious actors exploit a BOLA vulnerability by manipulating object identifiers, parameters, or references associated with objects. If they're successful, they can gain access to sensitive user data, modify or delete critical resources, impersonate other users, and make all sorts of unauthorized actions.

VMblog:  Are there any real-world examples of this?

Gerlach:  There was a large-scale BOLA discovery earlier this year in remote car access APIs. Web Application Security Researcher, Sam Curry and his team found a lot of problems with those APIs including account takeover, null character, filtering issues, and a ton of back-end systems that were accessible.

A particularly severe issue they found was that they could gain access to a user's account and take control of their vehicle by only knowing the VIN number-a piece of information that is fairly public and accessible.

VMblog:  How do APIs become vulnerable to BOLA? Where can this start showing up in the API code?

Gerlach:  While SAST can identify areas in the code with the potential for SQL injections, it cannot identify or verify the connection between the user and the data. The lack of ability to identify and verify connections opens the door for BOLAs to creep into the code.

VMblog:  What can developers do if they find a BOLA in an API's code?

Gerlach:  Go beyond just resolving it: add testing to make sure it doesn't get reintroduced into the API in the future. This is better achieved with the security team and the developer team working together in tandem.

VMblog:  How can solutions like dynamic application security testing (DAST) help prevent BOLA issues from emerging?

Gerlach:  DAST can test dynamically, as its name suggests, enabling developers to be more fluid and flexible with their testing strategies. This can help development teams continually identify potential BOLA risks

VMblog:  What resources or references do you recommend for learning more about BOLA?

Gerlach:  The OWASP API Top 10, OWASP Web Security Testing Cheat Sheet, SANS Institute, SheHacksPurple, and security-focused conferences like BlackHat.

VMblog:  What does the future of API and application security testing look like?

Gerlach:  The future is flexible. Developers need to be able to address security concerns as they arise, regardless of where in the development cycle they are. Flexibility helps a great deal here, so they can be more agile in responding to issues and help resolve them in a timely manner.


Published Friday, May 19, 2023 11:47 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2023>