安全研究员Antonio在测试Web应用时发现Broken Object Level Authorization(BOLA)漏洞。通过创建多个账户并观察数据流动,在尝试用户删除请求时发现跨账户操作漏洞。此经历强调了手动测试和攻击思维的重要性,并提醒自动化工具可能遗漏问题。 2025-9-20 00:44:14 Author: infosecwriteups.com(查看原文) 阅读量:2 收藏
👨💻 Introduction
Hi, I’m Antonio Rivera, a Security Researcher, Bug Hunter, and Ethical Hacker. I have secured some companies, received bounties, Hall of Fame mentions and received Letters of Appreciation and Recognition.
This is the story of how I ran into a Broken Object Level Authorization (BOLA) vulnerability while poking around a web application.
🕵️♂️ The Recon Phase
The first thing I do when testing a new application is create a few accounts. It helps me see how the app behaves from different perspectives.
I spent some time exploring forms, menus, and pages to understand how data moved between users.
Once I understood the app, I started testing for IDORs on my own account. At first, nothing happened. I tried other tests, like race conditions and business logic checks, but still, nothing produced results.
💥 The IDOR
Then, while reviewing some requests, one caught my attention:
- POST /restapi/soa2/ID/userDelete
{"operation":"userDelete","params":{"uid":"MyID","companyId":"clapthispost1234"}}Press enter or click to view image in full size
It looked ordinary, but I decided to test it with a token from another account. To my surprise, it worked, That was when I realized an IDOR existed.
Press enter or click to view image in full size
🏁 The Lesson
This reinforced a simple truth: careful observation and thinking like an attacker often reveal issues that automated tools miss.
😔Unfortunately
如有侵权请联系:admin#unsafe.sh