You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -81,4 +89,4 @@ Add these [environment variables](/workers/configuration/environment-variables/)
81
89
82
90
Both of these appear in the modal that appears when you enable Cloudflare Access.
83
91
84
-
You can set these variables by adding them to your Worker's [Wrangler configuration file](/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** > **your-worker** > **Settings** > **Environment Variables**.
92
+
You can set these variables by adding them to your Worker's [Wrangler configuration file](/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** > **your-worker** > **Settings** > **Environment Variables**.
A Broken Object Level Authorization (BOLA) vulnerability is where an application or API fails to properly verify if a user has permission to access specific data.
15
15
@@ -21,46 +21,113 @@ BOLA vulnerabilities are as dangerous as an account takeover. Successfully explo
21
21
22
22
Cloudflare labels endpoints with BOLA risk when we detect two distinct signals common with attacks exploiting BOLA: **Parameter pollution** and **Enumeration**.
23
23
24
-
-**Parameter pollution**: Cloudflare detects anomalies where one or more successful requests containing a value in an expected path, query string or header have that value duplicated in an unexpected, similar location.
24
+
## Enumeration
25
25
26
-
This behavior may be indicative of attackers trying to confuse the API’s authorization system and bypass security controls.
27
-
28
-
-**Enumeration**: Cloudflare continually profiles all sessions on a per-endpoint basis and detects anomalous sessions that successfully request many unique data points from an API endpoint against what is normal.
26
+
Cloudflare continually profiles all sessions on a per-endpoint basis and detects anomalous sessions that successfully request many unique data points from an API endpoint against what is normal.
29
27
30
28
:::note
31
29
Sessions that have more random behavior or repetition have a higher chance of triggering an alert.
32
30
33
31
The BOLA enumeration label requires an endpoint to have seen at least 10,000 sessions before being eligible for outlier detection.
-**Normal behavior**: Users request credit cards using only their own `userId`.
38
+
-**Attack behavior**: Attackers request hundreds of `userId` values per session by brute-force iterating through `userIds` found via other methods.
39
+
-**Result**: If the origin authorization policy is broken for this endpoint, the attacker gains credit card information on every user account they request it for.
40
+
</Details>
39
41
40
-
**Endpoint**: `GET /api/v1/orders/{orderId}`
42
+
## Parameter pollution
41
43
42
-
-**Normal behavior**: `orderId` sent in a path variable like `GET /api/v1/orders/12345`
43
-
-**Attacker behavior**: `orderId` is also sent as a query parameter, triggering old, undocumented code that looks for orders in the query parameter and happens to lack an authorization check: `GET /api/v1/orders/12345?orderId=67890`
44
-
-**Result**: By passing in a bogus order or an order that the attacker owns (`12345`), they are able to trigger the old, undocumented code and access an order that they do not own (`67890`)
44
+
Cloudflare detects anomalies where one or more successful requests containing a value in an expected path, query string, header, or cookie have that value duplicated in an unexpected, similar location.
45
45
46
-
### BOLA enumeration attack
46
+
This behavior may be indicative of attackers trying to confuse the API's authorization system and bypass security controls.
-**Normal behavior**: Users request credit cards using only their own `userId`.
51
-
-**Attack behavior**: Attackers request hundreds of `userId` values per session by brute-force iterating through `userIds` found via other methods.
52
-
-**Result**: If the authorization policy is broken for this endpoint, the attacker gains credit card information on every user account they request it for.
51
+
-**Normal behavior**: `orderId` sent in a path variable like `GET /api/v1/orders/12345`
52
+
-**Attacker behavior**: `orderId` is also sent as a query parameter, triggering old, undocumented code that looks for orders in the query parameter and happens to lack an authorization check: `GET /api/v1/orders/12345?orderId=67890`
53
+
-**Result**: By passing in a fake order or an order that the attacker owns (`12345`), they are able to trigger the old, undocumented code and access an order that they do not own (`67890`)
54
+
</Details>
53
55
54
56
## Process
55
57
56
-
For beta customers, API Shield searches for and highlights BOLA attacks on your APIs. Cloudflare learns visitor traffic patterns over time to know when API access to specific objects is likely a BOLA enumeration attack. We inform you what API endpoints are being targeted by automatically labeling them using the following risk labels:
58
+
API Shield searches for and highlights BOLA attacks on your APIs. Cloudflare learns visitor traffic patterns over time to know when API access to specific objects is likely a BOLA enumeration attack. We inform you what API endpoints are being targeted by automatically labeling them using the following [risk labels](/api-shield/management-and-monitoring/endpoint-labels/#risk-labels):
57
59
58
60
`cf-risk-bola-enumeration`: Automatically added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions.
59
61
60
62
`cf-risk-bola-pollution`: Automatically added when an endpoint experiences successful responses where parameters are found in multiple places in the request, as opposed to what is expected from the API's schema.
61
63
62
64
If you see one of these labels on your API endpoints, check its authorization policy with your developer team to find any authorization bugs. Additionally, you can reach out to Cloudflare for a customized report about the behavior, including attacker identifiers that you can use to confirm attack reach and impact.
63
65
66
+
BOLA attack information can be found in your [Security Overview](#security-overview) and [Endpoint details](#endpoint-details). Closed beta customers can find BOLA attack information in [Security Analytics](#security-analytics) as well.
67
+
68
+
### Security Overview
69
+
70
+
If BOLA vulnerabilities have been detected on your endpoints, you can view a summary of the attack and suggestions to mitigate it via the Cloudflare dashboard.
71
+
72
+
<Steps>
73
+
1. In the Cloudflare dashboard, go to the **Security** page.
3. Depending on the type of attack, select **Review traffic from potential BOLA enumeration attack** or **Review traffic from potential parameter pollution attack** to view details of the attack and suggested actions.
78
+
4. Select **View all affected endpoints** or **View details** on a specific endpoint to review suspicious sessions in [Web Assets](#endpoint-details).
79
+
</Steps>
80
+
81
+
Cloudflare evaluates your session requests for both enumeration and parameter pollution attacks and provides you with a list of at-risk endpoints and the number of anomalous sessions where an attack was detected. You can follow the suggested actions to address your BOLA vulnerabilities and prevent future attacks against your endpoints.
82
+
83
+
:::note
84
+
If the insight has been archived but attacks are still present, you can filter by **Show archived**.
85
+
:::
86
+
87
+
### Security Analytics
88
+
89
+
You can view analytics of your zone's traffic profile and suspicious requests associated with enumeration or parameter pollution attacks in the Cloudflare dashboard.
Filter requests depending on the type of attack detected in your zone, including the hashed session IDs found in the attack and the corresponding BOLA vulnerability risk label, to see an analysis of your request activity from the past seven days. This filter includes all traffic from suspected attacker sessions, so you can evaluate other actions that they are taking against your zone.
94
+
95
+
This does not filter by specific endpoints.
96
+
97
+
Review the top statistics and details of managed API endpoints, paths and values targeted by the attack, source IPs, source user agents, and source fingerprints.
98
+
99
+
Cloudflare recommends that you observe your traffic profile for any anomalies in its normal behavior.
100
+
101
+
:::note[Availability]
102
+
BOLA attacks in Security Analytics is currently available in closed beta.
103
+
:::
104
+
105
+
### Endpoint details
106
+
107
+
You can expand the endpoint details in Web Assets to access information on suspicious sessions' activity on the endpoint, including both enumeration attack and parameter pollution attack details.
Under **Security overview**, select **View attack** to review affected sessions with its associated IP addresses and JA4 fingerprints.
112
+
113
+
You can export the `.csv` file containing all the IP addresses and JA4 fingerprints for all or only a specific session.
114
+
115
+
:::note
116
+
The hashed session ID is used for privacy purposes and only as a unique identifier for a specific session. It cannot be un-hashed. It will not match your customer values in your application or database.
117
+
:::
118
+
119
+
The details specify the parameter that was affected, the number of sessions involved in the attack, and how far their behavior deviated from baseline.
120
+
121
+
If unauthorized access to the parameter was obtained, consider the potential impact to your application, users, and data. As a best practice, consult with your application and API developers to confirm unauthorized access by reviewing your API origin logs for the IP address and JA4 fingerprint of the abusive sessions.
122
+
123
+
Closed beta customers can view attack data in [Security Analytics](#security-analytics).
The managed endpoint will be automatically filtered in the request activity from the past seven days. You can also filter by suspicious IP addresses and fingerprints found in the attack details.
128
+
129
+
---
130
+
64
131
## Availability
65
132
66
-
BOLA attack detection is available in a closed beta. Contact your account team if you are interested in BOLA attack detection for your API.
133
+
Details of BOLA attacks visible in Security Analytics are only available for customers in the closed beta.
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/policies/gateway/http-policies/granular-controls.mdx
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,6 +17,7 @@ To use Application Granular Controls, you must:
17
17
- Turn on [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
18
18
- Turn on the [Gateway proxy](/cloudflare-one/policies/gateway/proxy/#turn-on-the-gateway-proxy).
19
19
- (Optional) If an application uses HTTP/3, turn on the [Gateway proxy for UDP traffic](/cloudflare-one/policies/gateway/http-policies/http3/#enable-http3-inspection).
20
+
- (Optional) To turn on [AI prompt logging](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content), create a [DLP payload encryption public key](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#set-a-dlp-payload-encryption-public-key).
20
21
21
22
## Create a policy with Application Granular Controls
0 commit comments