BOLA

Broken-Object-Level-Authorization/BOLAAddCustomHeaderDELETE.yml

@@ -0,0 +1,132 @@
+id: BOLA_ADD_CUSTOM_HEADER_DELETE
+info:
+  name: "Exploiting BOLA by adding Custom Header for Unauthorized Access for DELETE method APIs"
+  description: > 
+    "In this exploitation scenario for DELETE method APIs, attackers target Broken Object Level Authorization (BOLA) by adding custom headers to their requests, attempting to gain unauthorized access. By manipulating request headers, adversaries seek to exploit weaknesses in authorization 
+    mechanisms, potentially bypassing security controls. This method underscores the need for thorough security assessments, emphasizing the importance of secure header handling and robust access controls to mitigate the risks associated with unauthorized access and BOLA vulnerabilities."
+  details: >
+    "Attackers exploit Broken Object Level Authorization (BOLA) by adding custom headers to their requests (having DELETE HTTP method), attempting unauthorized access. Manipulating headers aims to exploit vulnerabilities in the system's authorization mechanisms, highlighting the need for robust security assessments and secure header handling. Thorough security measures 
+    are essential to prevent unauthorized access, addressing the risks associated with BOLA vulnerabilities and custom header manipulation."
+  impact: >
+    "Exploiting Broken Object Level Authorization by adding custom headers can have a profound impact, potentially leading to unauthorized access and compromise of sensitive data. Successful manipulation may enable malicious actions within the system, emphasizing the critical need for stringent security measures, robust access controls, and secure handling of custom headers to prevent and mitigate the risks associated with Broken Object Level Authorization vulnerabilities."
+  category:
+    name: BOLA
+    shortName: BOLA
+    displayName: Broken Object Level Authorization (BOLA)
+  subCategory: BOLA_ADD_CUSTOM_HEADER_DELETE
+  severity: HIGH
+  tags: 
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint"
+    - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola"
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md"
+    - "https://cwe.mitre.org/data/definitions/284.html"
+    - "https://cwe.mitre.org/data/definitions/285.html"
+    - "https://cwe.mitre.org/data/definitions/639.html"
+  cwe:
+    - CWE-284
+    - CWE-285
+    - CWE-639
+  cve:
+    - CVE-2022-34770
+inactive: true
+auth:
+  authenticated: true
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    eq: DELETE
+  response_payload:
+    length:
+      eq: 0
+    not_contains:
+      - Error
+      - Internal Server 
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts
+wordLists:
+  headerValues:
+    source: sample_data
+    key: 
+      regex: X-User-ID|Customer|Member|Client|Account|Subscriber|User-Hash
+    location: header
+    all_apis: true
+execute:
+  type: single
+  requests:
+  - req:
+    - add_header:
+         X-User-ID: "${headerValues}"
+    - add_header:
+         X-Customer-ID: "${headerValues}"
+    - add_header:
+         X-Member-ID: "${headerValues}"
+    - add_header:
+         X-Client-ID: "${headerValues}"
+    - add_header:
+         X-Account-ID: "${headerValues}"
+    - add_header:
+         X-Subscriber-ID: "${headerValues}"
+    - add_header:
+         X-User-Hash: "${headerValues}"
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      eq: 0
+    not_contains:
+      - Error
+      - Internal Server 
+      - Fail
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts

Broken-Object-Level-Authorization/BOLAAddCustomHeaderIntegerIDDELETE.yml

@@ -0,0 +1,130 @@
+id: BOLA_ADD_CUSTOM_HEADER_INTEGER_ID_DELETE
+info:
+  name: "Exploiting BOLA by adding Custom Header with Integer IDs for Unauthorized Access for DELETE method APIs"
+  description: > 
+    "In this exploitation scenario for DELETE HTTP method APIs, attackers target Broken Object Level Authorization (BOLA) by adding custom headers with Integer IDs to their requests, attempting to gain unauthorized access. By manipulating request headers, adversaries seek to exploit weaknesses in authorization mechanisms, potentially bypassing security controls. This method underscore the need for thorough security assessments, emphasizing the importance of secure header handling and robust access controls to mitigate the risks associated with unauthorized access and BOLA vulnerabilities."
+  details: >
+    "Attackers exploit Broken Object Level Authorization (BOLA) by adding custom headers to their requests (having DELETE HTTP method), attempting unauthorized access. Manipulating headers aims to exploit vulnerabilities in the system's authorization mechanisms, highlighting the need for robust security assessments and secure header handling. Thorough security measures are essential to prevent unauthorized access, addressing the risks associated with BOLA vulnerabilities and custom header manipulation."
+  impact: >
+    "Exploiting Broken Object Level Authorization by adding custom headers can have a profound impact, potentially leading to unauthorized access and compromise of sensitive data. Successful manipulation may enable malicious actions within the system, emphasizing the critical need for stringent security measures, robust access controls, and secure handling of custom headers to prevent and mitigate the risks associated with Broken Object Level Authorization vulnerabilities."
+  category:
+    name: BOLA
+    shortName: BOLA
+    displayName: Broken Object Level Authorization (BOLA)
+  subCategory: BOLA_ADD_CUSTOM_HEADER_INTEGER_ID_DELETE
+  severity: HIGH
+  tags: 
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint"
+    - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola"
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md"
+    - "https://cwe.mitre.org/data/definitions/284.html"
+    - "https://cwe.mitre.org/data/definitions/285.html"
+    - "https://cwe.mitre.org/data/definitions/639.html"
+  cwe:
+    - CWE-284
+    - CWE-285
+    - CWE-639
+  cve:
+    - CVE-2022-34770
+inactive: true
+auth:
+  authenticated: true
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    eq: DELETE
+  response_payload:
+    length:
+      eq: 0
+    not_contains:
+      - Error
+      - Internal Server 
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts
+wordLists:
+  headerValues:
+    - 1
+    - 2
+    - 3
+    - 4
+    - 5
+execute:
+  type: single
+  requests:
+  - req:
+    - add_header:
+         X-User-ID: "${headerValues}"
+    - add_header:
+         X-Customer-ID: "${headerValues}"
+    - add_header:
+         X-Member-ID: "${headerValues}"
+    - add_header:
+         X-Client-ID: "${headerValues}"
+    - add_header:
+         X-Account-ID: "${headerValues}"
+    - add_header:
+         X-Subscriber-ID: "${headerValues}"
+    - add_header:
+         X-User-Hash: "${headerValues}"
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      eq: 0
+    not_contains:
+      - Error
+      - Internal Server 
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts

Broken-Object-Level-Authorization/BOLAAddCustomHeaderIntegerIDPATCH.yml

@@ -0,0 +1,132 @@
+id: BOLA_ADD_CUSTOM_HEADER_INTEGER_ID_PATCH
+info:
+  name: "Exploiting BOLA by adding Custom Header with Integer IDs for Unauthorized Access for PATCH/PUT method APIs"
+  description: > 
+    "In this exploitation scenario for PATCH/PUT HTTP method APIs, attackers target Broken Object Level Authorization (BOLA) by adding custom headers with Integer IDs to their requests, attempting to gain unauthorized access. By manipulating request headers, adversaries seek to exploit weaknesses in authorization mechanisms, potentially bypassing security controls. This method underscore the need for thorough security assessments, emphasizing the importance of secure header handling and robust access controls to mitigate the risks associated with unauthorized access and BOLA vulnerabilities."
+  details: >
+    "Attackers exploit Broken Object Level Authorization (BOLA) by adding custom headers to their requests (having PATCH/PUT HTTP methods), attempting unauthorized access. Manipulating headers aims to exploit vulnerabilities in the system's authorization mechanisms, highlighting the need for robust security assessments and secure header handling. Thorough security measures are essential to prevent unauthorized access, addressing the risks associated with BOLA vulnerabilities and custom header manipulation."
+  impact: >
+    "Exploiting Broken Object Level Authorization by adding custom headers can have a profound impact, potentially leading to unauthorized access and compromise of sensitive data. Successful manipulation may enable malicious actions within the system, emphasizing the critical need for stringent security measures, robust access controls, and secure handling of custom headers to prevent and mitigate the risks associated with Broken Object Level Authorization vulnerabilities."
+  category:
+    name: BOLA
+    shortName: BOLA
+    displayName: Broken Object Level Authorization (BOLA)
+  subCategory: BOLA_ADD_CUSTOM_HEADER_INTEGER_ID_PATCH
+  severity: HIGH
+  tags: 
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://www.akto.io/blog/bola-exploitation-using-unauthorized-uuid-on-api-endpoint"
+    - "https://www.akto.io/blog/what-is-broken-object-level-authorization-bola"
+    - "https://github.com/OWASP/API-Security/blob/master/editions/2023/en/0xa1-broken-object-level-authorization.md"
+    - "https://cwe.mitre.org/data/definitions/284.html"
+    - "https://cwe.mitre.org/data/definitions/285.html"
+    - "https://cwe.mitre.org/data/definitions/639.html"
+  cwe:
+    - CWE-284
+    - CWE-285
+    - CWE-639
+  cve:
+    - CVE-2022-34770
+inactive: true
+auth:
+  authenticated: true
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  method:
+    contains_either:
+      - PUT
+      - PATCH
+  response_payload:
+    length:
+      eq: 0
+    not_contains:
+      - Error
+      - Internal Server 
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts
+wordLists:
+  headerValues:
+    - 1
+    - 2
+    - 3
+    - 4
+    - 5
+execute:
+  type: single
+  requests:
+  - req:
+    - add_header:
+         X-User-ID: "${headerValues}"
+    - add_header:
+         X-Customer-ID: "${headerValues}"
+    - add_header:
+         X-Member-ID: "${headerValues}"
+    - add_header:
+         X-Client-ID: "${headerValues}"
+    - add_header:
+         X-Account-ID: "${headerValues}"
+    - add_header:
+         X-Subscriber-ID: "${headerValues}"
+    - add_header:
+         X-User-Hash: "${headerValues}"
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    length:
+      eq: 0
+    not_contains:
+      - Error
+      - Internal Server 
+      - Failed
+      - Unauthorized
+      - access denied
+      - Forbidden
+      - Method Not allowed
+      - Gateway timeout
+      - request timeout
+      - server error
+      - server busy
+      - authentication error
+      - authorization error
+      - validation error
+      - Permission Denied
+      - invalid token
+      - token expired
+      - session expired
+      - session timeout
+      - unexpected error
+      - unable to process request
+      - bad request
+      - service unavailable
+      - account is locked
+      - account is blocked
+      - multiple failed attempts