OWASP Tactical Access Defense Series: Broken Object Level Authorization and BIG-IP APM

Addressing Broken Object Level Authorization (BOLA) vulnerabilities requires a multifaceted approach, combining robust coding practices, secure development methodologies, and powerful tools. Among these tools, F5 BIG-IP Access Policy Manager (APM) stands out as a crucial component in the arsenal of security measures.

This article, the second in a series of articles dedicated to fortifying application security, delves into the pivotal role that BIG-IP APM plays in identifying, mitigating, and ultimately preventing OWASP top 10 API vulnerabilities by providing developers and security professionals with a comprehensive guide to bolstering application security in the face of evolving cyber threats.

Broken Object Level Authorization

This is one of the most common and severe vulnerabilities within APIs and is related to Insecure Direct Object References (IDOR).

Starting with, what's Object Level Authorization? This is an access control mechanism that's in place to validate which user has access to a specific endpoint and what actions to be performed.

BOLA and IDOR refer to situations where the endpoints fail to enforce specific authorization rules on endpoints, or the user is successfully able to access unauthorized endpoints and perform unauthorized actions.

The weakness that can lead to this vulnerability is the server component fails to track client state and rely on other parameters that can be tweaked from the client side, for example (Cookies, object IDs).

BOLA Example

Let's assume this backend directory,

- /uploads/
  - user1/
    - file1.txt
    - file2.txt
  - user2/
    - file3.txt
    - file4.txt

The expected user1 usage is as follows, https://example.com/viewfile?file=file1.txt the user can access file1.
If the server is vulnerable to BOLA, let's have user2 accessing the server, then try to navigate to file1 as follows, https://example.com/viewfile?file=user1/file1.txt

What could help us in this situation? Yes, we need granular endpoint authorization with proper client state tracking.

That's where our lovely friend BIG-IP APM comes into the picture. Let's see how BIG-IP APM can help us.

BIG-IP APM and BOLA protection

BIG-IP APM provides API protection through its Per-Request policy, where the it applies granular Access protection to each API endpoint.

How BIG-IP APM enhances defenses

We start with creating our Per-Request policy, this policy works in a different way than the per-session policy, as the flow will be evaluted on a per-request basis, making sure to consider variations throught the session life-time. Below are some of the key benefits:

Wide range of Authentication, SSO, and MFA mechanisms to properly identify the initiating machine or user.
- Ability to integrate with 3rd parties to provide additional enforcement decisions based on the organization's policy.
Ability to apply endpoint checks on the client side before session initiation.
This goes to BIG-IP in general, the ability to apply custom traffic control on both of the traffic sides, Client and Server.

Using BIG-IP API protection profile.

Protection profiles are an easy way to deploy both APM (Per-Request policy) and Advanced Web Application Firewall (AWAF).

As a pre-requisite, you need APM, AWAF licensed and provisioned.
Use OpenAPI Spec 2.0 as an input to the API protection.
Apply different Authentication methods, whether Basic, Oauth (Directly from the template), or once we have the API protection profile created, we can customize policy elements to our needs.

Using Hybrid approach with F5 Distributed Cloud (F5 XC) + BIG-IP APM

We had this approach discussed in details through F5 Hybrid Security Architectures (Part 5 - F5 XC, BIG-IP APM, CIS, and NGINX Ingress Controller)

Stay engaged to explore the comprehensive capabilities of BIG-IP APM and how it plays a pivotal role in fortifying your security posture against these formidable threats.