Mitigating OWASP API Security Risk: BOPLA using F5 BIG-IP

This article is a continuation of the OWASP Top 10 API Security series. It aims to give insight on Broken Object Property Level Authorization (BOPLA) and the ways to mitigate it using F5 BIG-IP Advanced WAF.

Introduction to BOPLA:

BOPLA is a combination of Mass Assignment and Excessive Data Exposure risks. Mass assignment occurs due to improper authorization validation at the object property level. Excessive data exposure results in the exposure of sensitive data. These vulnerabilities can lead to manipulation by unauthorized parties and unintentional disclosure of sensitive information.

Mass Assignment:

Mass Assignment vulnerability occurs when user request variables are linked to an internal object in the application code. Since these variables are not properly validated, an attacker can exploit these variables to gain special privileges as a user. This can eventually lead to privilege escalation, data loss, and account takeover.

From the above screenshot, BIG-IP Advanced WAF blocks the attacker’s request to escalate his role from a normal user to an admin by modifying the JSON content of the API request.

For more details on F5 BIG-IP Advanced WAF solution to Mass Assignment vulnerability, look at article Mitigating OWASP API Security Risk Mass Assignment | F5 BIG-IP Solutions

Excessive Data Exposure:

APIs do not have the ability to identify sensitive data and block it. Instead, they rely on the client side to perform data filtering before presenting it to the user. This is often overlooked during implementation, leading to the exposure of sensitive data such as Personally Identifiable Information (PII), Credit Card Number (CCN), Social Security Number (SSN) and Phone Number etc. This results in credential stuffing.

In the above screenshot, BIG-IP Advanced WAF masks the sensitive data such as SSN and CCN by replacing them with asterisks before it reaches the end users.

For more details on F5 BIG-IP Advanced WAF solution to Excessive Data Exposure vulnerability, look at article Mitigating OWASP API Security Risk Excessive Data Exposure | F5 BIG-IP Solutions

Conclusion:

The BOPLA vulnerability can cause serious damage to the web server. The server is safer because it prevents unauthorized access caused by changes to get special privileges. It also hides sensitive data from end users. BIG-IP Advanced WAF protects the application against BOPLA, thereby enhancing the overall security of the system.