Vertical IDOR/BOLA (Broken Object Level Authorization)
Description
Vertical Broken Object Level Authorization (BOLA), also known as Vertical Insecure Direct Object References (IDOR), occurs when an application fails to verify that a user has the appropriate privilege level to access or modify a resource. Unlike horizontal BOLA where users access resources of peers at the same privilege level, vertical BOLA allows lower-privileged users (such as regular users) to access or manipulate resources that should only be available to higher-privileged users (such as administrators). This vulnerability typically arises when applications rely solely on user-supplied input (like object IDs) without validating the user's authorization level for that specific resource.
Remediation
Implement comprehensive authorization controls to prevent vertical privilege escalation:<br/><br/><b>1. Enforce Role-Based Access Control (RBAC):</b><br/>Verify both authentication and authorization for every resource access. Check that the authenticated user's role has permission to access the requested resource.<br/><pre>// Example: Node.js/Express middleware function checkAdminAccess(req, res, next) { const user = req.user; // from authentication middleware const resourceId = req.params.id; // Verify user role if (user.role !== 'admin') { return res.status(403).json({ error: 'Forbidden: Admin access required' }); } // Additional check: verify resource exists and user can access it const resource = getResourceById(resourceId); if (!resource || !canUserAccessResource(user, resource)) { return res.status(403).json({ error: 'Access denied' }); } next(); }</pre><br/><b>2. Implement Attribute-Based Access Control (ABAC):</b><br/>For complex scenarios, validate access based on user attributes, resource properties, and environmental conditions rather than just user roles.<br/><br/><b>3. Use Indirect Object References:</b><br/>Replace direct database IDs with session-specific indirect references or UUIDs that are mapped server-side to actual resources based on user privileges.<br/><br/><b>4. Apply Defense in Depth:</b><br/><ul><li>Validate authorization at multiple layers (API gateway, application logic, and data access layer)</li><li>Use allowlists to explicitly define which roles can access specific resources</li><li>Implement audit logging for all privileged operations</li><li>Deny access by default and explicitly grant permissions only when required</li></ul><br/><b>5. Regular Security Testing:</b><br/>Conduct penetration testing and automated security scans specifically targeting authorization logic. Test with users of different privilege levels to ensure proper access controls are enforced.