Horizontal IDOR/BOLA (Broken Object Level Authorization)
Description
Horizontal Broken Object Level Authorization (BOLA), also known as Insecure Direct Object References (IDOR), occurs when an application fails to verify that a user has permission to access a specific resource, allowing users at the same privilege level to access or modify each other's data. Unlike vertical privilege escalation where attackers gain higher-level permissions, horizontal BOLA enables users to access resources belonging to other users with identical access rights by manipulating object identifiers in API requests or URLs.
Remediation
Implement the following controls to prevent horizontal BOLA vulnerabilities:
1. Enforce authorization checks on every resource access: Verify that the authenticated user owns or has explicit permission to access the requested resource before returning data.
// Example: Verify resource ownership before access
const resource = await getResourceById(resourceId);
if (resource.ownerId !== currentUser.id) {
throw new ForbiddenError('Access denied');
}
return resource;2. Use indirect reference maps: Replace predictable identifiers with random, non-sequential tokens or implement a session-based mapping layer that translates user-facing identifiers to internal object references.
3. Implement attribute-based access control (ABAC): Define access policies based on user attributes, resource properties, and contextual information rather than relying solely on user roles.
4. Apply the principle of least privilege: Ensure users can only access resources explicitly granted to them, with deny-by-default policies.
5. Conduct regular security testing: Perform automated and manual testing to identify authorization gaps, including testing with multiple user accounts at the same privilege level to detect horizontal access control issues.