Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Vertical IDOR/BOLA (Broken Object Level Authorization) - Vulnerability Database

Vertical IDOR/BOLA (Broken Object Level Authorization)

Description

Vertical Broken Object Level Authorization (BOLA), also known as Vertical Insecure Direct Object References (IDOR), occurs when an application fails to verify that a user has the appropriate privilege level to access or modify a resource. Unlike horizontal BOLA where users access resources of peers at the same privilege level, vertical BOLA allows lower-privileged users (such as regular users) to access or manipulate resources that should only be available to higher-privileged users (such as administrators). This vulnerability typically arises when applications rely solely on user-supplied input (like object IDs) without validating the user's authorization level for that specific resource.

Remediation

Implement comprehensive authorization controls to prevent vertical privilege escalation:

1. Enforce Role-Based Access Control (RBAC):
Verify both authentication and authorization for every resource access. Check that the authenticated user's role has permission to access the requested resource.

// Example: Node.js/Express middleware
function checkAdminAccess(req, res, next) {
  const user = req.user; // from authentication middleware
  const resourceId = req.params.id;
  
  // Verify user role
  if (user.role !== 'admin') {
    return res.status(403).json({ error: 'Forbidden: Admin access required' });
  }
  
  // Additional check: verify resource exists and user can access it
  const resource = getResourceById(resourceId);
  if (!resource || !canUserAccessResource(user, resource)) {
    return res.status(403).json({ error: 'Access denied' });
  }
  
  next();
}

2. Implement Attribute-Based Access Control (ABAC):
For complex scenarios, validate access based on user attributes, resource properties, and environmental conditions rather than just user roles.

3. Use Indirect Object References:
Replace direct database IDs with session-specific indirect references or UUIDs that are mapped server-side to actual resources based on user privileges.

4. Apply Defense in Depth:
  • Validate authorization at multiple layers (API gateway, application logic, and data access layer)
  • Use allowlists to explicitly define which roles can access specific resources
  • Implement audit logging for all privileged operations
  • Deny access by default and explicitly grant permissions only when required

5. Regular Security Testing:
Conduct penetration testing and automated security scans specifically targeting authorization logic. Test with users of different privilege levels to ensure proper access controls are enforced.

References

API1:2023 Broken Object Level Authorization

Related Vulnerabilities

Horizontal IDOR/BOLA (Broken Object Level Authorization) High
Common tags: BOLA API BOLA
API Sensitive Data (PII) accessible without authentication High
Common tags: API BOLA
Horizontal Broken Function Level Authorization (BFLA) High
Common tags: BOLA
Vertical Broken Function Level Authorization (BFLA) High
Common tags: BOLA

Severity

High

Classification

CWE-639
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

BOLA
API BOLA