Broken Object Level Authorization
You can also use the Testing feature on Metlo to test for and catch Broken Object Level Authorization
(or BOLA for short) vulnerabilities.
1. Create Test
You can create a BOLA test from the JUICE_SHOP_BOLA
template which logs in with 2 different users, extracts their authentication tokens, and then checks if one user can access/update any other user’s data without proper authentication. Go to the Endpoints page in the Metlo Web App and search for this endpoint /rest/products/{param1}/reviews
for the PUT
method. Go to the Endpoint Overview page for that endpoint and click on the Tests
tab. Now, click Generate Test
and JUICE_SHOP_BOLA
on the drop-down menu. You should now see the test yaml which was generated from the templates you pushed earlier.
You can update some values in this yaml to make requests more specific to what you want to test. Replace the values of the USER_1_param_1
and USER_2_param_1
env variables to be 1
so that the requests are writing reviews for the product with ID of 1. Next, update the 3rd and 4th request in the yaml to have value user1@juice.shop
for the author field and the 5th request to have value user2@juice.shop
.
2. Run Test
Now, you can hit the Run
button to see if the tests pass. As you can see, the 4th and 5th requests failed. The 4th request failed because it successfully created a review with user2@juice.shop
as the author even though the request had USER_2
’s JWT. Similarly, the 5th request failed because it successfully created a review with user2@juice.shop
as the author when the request had USER_1
’s JWT. When you are done editing the test yaml, make sure to click on the Save
button to save your changes.
You can write similar kinds of BOLA tests for other endpoints as well using this template such as with the Forged Feedback
and Manipulate Basket
vulnerabilities.