Metlo Juice Shop
Broken Object Level Authorization

You can also use the Testing feature on Metlo to test for and catch Broken Object Level Authorization (or BOLA for short) vulnerabilities.

1. Create Test

You can create a BOLA test from the JUICE_SHOP_BOLA template which logs in with 2 different users, extracts their authentication tokens, and then checks if one user can access/update any other user’s data without proper authentication. Go to the Endpoints page in the Metlo Web App and search for this endpoint /rest/products/{param1}/reviews for the PUT method. Go to the Endpoint Overview page for that endpoint and click on the Tests tab. Now, click Generate Test and JUICE_SHOP_BOLA on the drop-down menu. You should now see the test yaml which was generated from the templates you pushed earlier.

You can update some values in this yaml to make requests more specific to what you want to test. Replace the values of the USER_1_param_1 and USER_2_param_1 env variables to be 1 so that the requests are writing reviews for the product with ID of 1. Next, update the 3rd and 4th request in the yaml to have value user1@juice.shop for the author field and the 5th request to have value user2@juice.shop.

2. Run Test

Now, you can hit the Run button to see if the tests pass. As you can see, the 4th and 5th requests failed. The 4th request failed because it successfully created a review with user2@juice.shop as the author even though the request had USER_2’s JWT. Similarly, the 5th request failed because it successfully created a review with user2@juice.shop as the author when the request had USER_1’s JWT. When you are done editing the test yaml, make sure to click on the Save button to save your changes.

You can write similar kinds of BOLA tests for other endpoints as well using this template such as with the Forged Feedback and Manipulate Basket vulnerabilities.

3680