Our team occasionally scans APIs for various customer and research purposes, or in connection with a specific request. As we do this, we sometimes find vulnerabilities from third-party organizations. This article is part of an ongoing series of posts following some API vulnerabilities FireTail researchers have uncovered in the process…
FireTail CTO Riley found a web application vulnerability. He noticed when the app was open, and he had tools open, one of the requests was going to an API instead of a web application. A typical application will render frontend content whereas an API will just return data without it. So Riley noticed one was just returning API data.
When he saw the particular request, it had a numerical ID for users. The first sign of a potential BOLA attack is using incremental IDs without security enforcement, such as AuthZ.
Upon seeing this, Riley replayed the request and changed it by an increment of 10. He was expecting "access denied," but instead, he was able to retrieve all the data for a particular user.
A malicious user could write a script and sub the number back to 1 and enumerate or automate it to retrieve endless data by following the pattern. If they did it slowly, over the course of months by doing a small amount every day, it could go undetected by the organization.
Riley notified theirC-suite, and they considered it a critical bug. However, it took 3 weeks from discovery to fix.