Broken Object Level Authorization (BOLA) + IDOR



Description

When a user can access pages that they shouldn’t. Insecure direct object reference (IDOR) is done the same way.


Examples/Methods/Results

Burp Suite

Here we have a page that shows a car in a user’s account.

No image found

We can refresh the request and capture it in burp. We can see the carID on the request.

No image found

Then the ID can be changed in the repeater if the response sanys not authourized then its fine, if if gives back the ID then there is a problem as shown below.

No image found

Further Readings

BOLA