From 10590c252428c99a74825ff4c26210df6d4c702c Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 24 Apr 2025 14:15:15 -0700 Subject: [PATCH 1/3] bola attack detection --- .../endpoint-labels.mdx | 4 ++ .../security/bola-attack-detection.mdx | 62 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 src/content/docs/api-shield/security/bola-attack-detection.mdx diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx index 53a345cf105e243..c4b5937a4fbd2ba 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx @@ -69,6 +69,10 @@ Cloudflare automatically runs risk scans every 24 hours on your saved endpoints. `cf-risk-size-anomaly`: Automatically added when an endpoint experiences a spike in response body size over the last 24 hours. +`cf-risk-bola-enumeration`: Automatically added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions. + +`cf-risk-bola-pollution`: Automatically added when an endpoint experiences successful responses where parameters are found in multiple places in the request. + :::note Cloudflare will only add authentication labels to endpoints with successful response codes. Refer to the below table for more details. ::: diff --git a/src/content/docs/api-shield/security/bola-attack-detection.mdx b/src/content/docs/api-shield/security/bola-attack-detection.mdx new file mode 100644 index 000000000000000..5a8d11a005cfe20 --- /dev/null +++ b/src/content/docs/api-shield/security/bola-attack-detection.mdx @@ -0,0 +1,62 @@ +--- +pcx_content_type: concept +type: overview +title: Broken Object Level Authorization attack detection +sidebar: + badge: + text: Beta + order: 10 + label: BOLA attack detection +--- + +import { Badge } from "~/components"; + +A Broken Object Level Authorization (BOLA) attack is where an application or API fails to properly verify if a user has permission to access specific private data. + +Bugs in the application or API allow attackers to bypass authorization checks and access sensitive information by manipulating and iterating through object identifiers + +Vulnerabilities can occur at any time, including in the original application's deployment. However, changes or upgrades to authentication and authorization policies can also introduce these bugs. + +BOLA attacks are as dangerous as account takeover. A successful BOLA attack allows the attacker to access or change data that they should not have ownership over. + +Cloudflare labels endpoints with BOLA risk when we detect two distinct signals common with BOLA attacks: **Parameter pollution** and **Enumeration**. + +- **Parameter pollution**: Cloudflare detects anomalies where one or more successful requests containing a value in an expected path, query string, header, or body parameter have that value duplicated in an unexpected, similar location. + + This behavior may be indicative of attackers trying to confuse the API’s authorization system and bypass security controls. + +- **Enumeration**: Cloudflare detects anomalies where one or more sessions makes successful requests to any one API endpoint changing variable values out of the norm, trying to get information from the API. + +:::note +Sessions that have more random behavior or repetition have a higher chance of triggering an alert. +::: + +## Examples + +### Parameter pollution attack + +**Endpoint**: `GET /api/v1/credit-cards/{cardId}` + +- **Normal behavior**: `cardId` is sent in a path variable. +- **Attacker behavior**:`cardId` is also sent as a query parameter, which triggers old and undocumented code that looks for cards in the query parameter that lacks the authorization check: `GET /api/v1/credit-cards/{cardId}?cardId=12345`. + +### BOLA enumeration attack + +**Endpoint**: `GET /api/v1/credit-cards/{cardId}` + +- **Normal behavior**: Users request one to two credit cards per session. +- **Attack behavior**: Attackers request hundreds of credit card values per session. + +## Process + +For beta customers, API Shield searches for and highlights BOLA attacks on your APIs. Cloudflare learns visitor traffic patterns over time to know when API access to specific objects is likely a Broken Object Level Authorization enumeration attack. We inform you what API endpoints are being targeted by automatically labeling them using the following risk labels: + +`cf-risk-bola-enumeration`: Automatically added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions. + +`cf-risk-bola-pollution`: Automatically added when an endpoint experiences successful responses where parameters are found in multiple places in the request. + +If you see one of these labels on your API endpoints, check its authorization policy with your developer team to find any authorization bugs. Additionally, you can reach out to Cloudflare for a customized report about the behavior, including attacker identifiers that you can use to confirm attack reach and impact. + +## Availability + +BOLA attack detection is available in a closed beta. Contact your account team if you are interested in BOLA attack detection for your API. From 5ec1b6b7625170f21113fe8649a1c6b353a627bc Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Fri, 25 Apr 2025 08:12:26 -0700 Subject: [PATCH 2/3] limitation --- .../docs/api-shield/security/bola-attack-detection.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/content/docs/api-shield/security/bola-attack-detection.mdx b/src/content/docs/api-shield/security/bola-attack-detection.mdx index 5a8d11a005cfe20..4fd231580f5ed26 100644 --- a/src/content/docs/api-shield/security/bola-attack-detection.mdx +++ b/src/content/docs/api-shield/security/bola-attack-detection.mdx @@ -60,3 +60,7 @@ If you see one of these labels on your API endpoints, check its authorization po ## Availability BOLA attack detection is available in a closed beta. Contact your account team if you are interested in BOLA attack detection for your API. + +## Limitations + +The BOLA enumeration label requires an endpoint to have seen at least 10,000 sessions before being eligible for outlier detection. \ No newline at end of file From 51008d4bec87abb8ee70a64bf175d3d6d91433df Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Fri, 25 Apr 2025 13:51:54 -0700 Subject: [PATCH 3/3] feedback --- .../endpoint-labels.mdx | 2 +- .../security/bola-attack-detection.mdx | 16 +++++++--------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx index c4b5937a4fbd2ba..3a617ddc4abc3af 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx @@ -71,7 +71,7 @@ Cloudflare automatically runs risk scans every 24 hours on your saved endpoints. `cf-risk-bola-enumeration`: Automatically added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions. -`cf-risk-bola-pollution`: Automatically added when an endpoint experiences successful responses where parameters are found in multiple places in the request. +`cf-risk-bola-pollution`: Automatically added when an endpoint experiences successful responses where parameters are found in multiple places in the request, as opposed to what is expected from the API's schema. :::note Cloudflare will only add authentication labels to endpoints with successful response codes. Refer to the below table for more details. diff --git a/src/content/docs/api-shield/security/bola-attack-detection.mdx b/src/content/docs/api-shield/security/bola-attack-detection.mdx index 4fd231580f5ed26..4d67346f800dd12 100644 --- a/src/content/docs/api-shield/security/bola-attack-detection.mdx +++ b/src/content/docs/api-shield/security/bola-attack-detection.mdx @@ -13,7 +13,7 @@ import { Badge } from "~/components"; A Broken Object Level Authorization (BOLA) attack is where an application or API fails to properly verify if a user has permission to access specific private data. -Bugs in the application or API allow attackers to bypass authorization checks and access sensitive information by manipulating and iterating through object identifiers +Bugs in the application or API allow attackers to bypass authorization checks and access sensitive information by manipulating and iterating through object identifiers. Vulnerabilities can occur at any time, including in the original application's deployment. However, changes or upgrades to authentication and authorization policies can also introduce these bugs. @@ -25,10 +25,12 @@ Cloudflare labels endpoints with BOLA risk when we detect two distinct signals c This behavior may be indicative of attackers trying to confuse the API’s authorization system and bypass security controls. -- **Enumeration**: Cloudflare detects anomalies where one or more sessions makes successful requests to any one API endpoint changing variable values out of the norm, trying to get information from the API. +- **Enumeration**: Cloudflare detects anomalies where one or more sessions makes successful requests to any one API endpoint that changes variable values trying to get information from the API. :::note Sessions that have more random behavior or repetition have a higher chance of triggering an alert. + +The BOLA enumeration label requires an endpoint to have seen at least 10,000 sessions before being eligible for outlier detection. ::: ## Examples @@ -49,18 +51,14 @@ Sessions that have more random behavior or repetition have a higher chance of tr ## Process -For beta customers, API Shield searches for and highlights BOLA attacks on your APIs. Cloudflare learns visitor traffic patterns over time to know when API access to specific objects is likely a Broken Object Level Authorization enumeration attack. We inform you what API endpoints are being targeted by automatically labeling them using the following risk labels: +For beta customers, API Shield searches for and highlights BOLA attacks on your APIs. Cloudflare learns visitor traffic patterns over time to know when API access to specific objects is likely a BOLA enumeration attack. We inform you what API endpoints are being targeted by automatically labeling them using the following risk labels: `cf-risk-bola-enumeration`: Automatically added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions. -`cf-risk-bola-pollution`: Automatically added when an endpoint experiences successful responses where parameters are found in multiple places in the request. +`cf-risk-bola-pollution`: Automatically added when an endpoint experiences successful responses where parameters are found in multiple places in the request, as opposed to what is expected from the API's schema. If you see one of these labels on your API endpoints, check its authorization policy with your developer team to find any authorization bugs. Additionally, you can reach out to Cloudflare for a customized report about the behavior, including attacker identifiers that you can use to confirm attack reach and impact. ## Availability -BOLA attack detection is available in a closed beta. Contact your account team if you are interested in BOLA attack detection for your API. - -## Limitations - -The BOLA enumeration label requires an endpoint to have seen at least 10,000 sessions before being eligible for outlier detection. \ No newline at end of file +BOLA attack detection is available in a closed beta. Contact your account team if you are interested in BOLA attack detection for your API. \ No newline at end of file