Detectando ataques Broken Object Level Authorization em APIs REST usando dependência Produtor-Consumidor

Abstract

Web APIs (Application Programming Interfaces) have become ubiquitous in applications that require some type of communication between client and server, being developed mainly using the REST (Representational State Transfer) style of architecture and widely used in the development of Web and mobile applications. This increase in popularity, however, brought new security challenges, such as the spread of vulnerabilities derived mainly from the absence of state controls on client applications, reflecting the statelessness requirement of REST design. Among these vulnerabilities, the Broken Object Level Authorization (or BOLA), a specific type of access control breach, stands out. It’s listed in the first position of the OWASP API Security Top 10 and it’s considered the most prevalent vulnerability in real-world applications, leading to unauthorized access to sensitive data in successful attacks. This work aims to provide an approach to detect attempts to exploit this vulnerability at runtime, using the identification of producer-consumer relationships between endpoints extracted from API specifications compliant to the standard OpenAPI (OAS). This solution will be evaluated using APIs of applications vulnerable to BOLA, in order to validade its capacity to detect attacks.