Broken Object Level Authorization (BOLA) Protection

Object term frequently used to represent a collection of data / profile (user name, address, phone, etc). This Object access must be restricted only for the user who own the data. User1 cannot access user2 profile. Broken access control to this Object can leads to data breach.

Additional access control like must be implemented. Simple example: passanger name in the ID card should be same as printed in the train ticket.

Create User Name Session Variable On Session Creation

In this step, user name in the access token is extracted and saved to session variable.

Create an iRule to extract user name from session.oauth.scope.last.introspect.username and save it as session variable session.custom.uname

1when ACCESS_POLICY_COMPLETED {
2  set uname [lindex [split [ACCESS::session data get "session.oauth.scope.last.introspect.username"] "."] 1]
3  log local0.notice "introspect.username=$uname"
4  ACCESS::session data set session.custom.uname $uname
5}

Then attach the iRule to virtual server app-1.

_images/301-custom-session-1.png

Add User Check Logic In Policy

Edit the app-1-prp created earlier in Create Per-Request Policy Profile for Resource Server.

  1. Add new process by click plus (+) sign after allow output of Scope Check process box, add General Purpose > Empty item

    _images/301-user-check-1.png

  2. Set User Check as new process name

    _images/301-user-check-2.png

  3. Open Branch Rules tab. Click Add Branch Rule, give it a name “ok”.

    _images/301-user-check-3.png

    Click “change”

    _images/301-user-check-4.png

    Open “Advanced” tab to edit branch expression and put following expression:

    expr {[mcget {session.custom.uname}] equals [mcget {request.query.u}]}

    Here defined the logic to do user matching between HTTP request & access token

    _images/301-user-check-5.png _images/301-user-check-6.png

  4. Change the flow Endings

    _images/301-user-check-7.png

  5. This is the final policy flow

    _images/301-user-check-8.png

Testing The Configuration

  1. Get new access token, login using admin user

    _images/302-test-ucheck-1.png

  2. Try to access using admin user https://10.1.10.102/headers?u=admin

    _images/302-test-ucheck-4.png

    The response is HTTP 200, with a lot of request parameters displayed back

  3. Change the admin to operator user https://10.1.10.102/headers?u=operator

    _images/302-test-ucheck-5.png

    The reponse is HTTP 403 Forbidden, because the access token was issued for admin user