Foundations Lab  · On-demand

API1:2023 Demonstrating BOLA Exploitation in crAPI

Foundations Lab

Solution overview

In this hands-on lab, you will explore the exploitation of Broken Object Level Authorization (BOLA) vulnerabilities within the crAPI application. This exercise is designed to provide practical experience in identifying and manipulating API requests to gain unauthorized access to data. Using tools such as Burp Suite, Postman, and FoxyProxy, you will intercept and alter API calls to demonstrate the impact of BOLA vulnerabilities.

The lab will guide you through:

1. Setting up your environment with Burp Suite and FoxyProxy.

2. Registering a new user and adding a vehicle in crAPI.

3. Intercepting and analyzing API calls.

4. Using Burp Suite's Intruder module to perform a fuzzing attack.

5. Demonstrating unauthorized access to other users' data.

Refer to the video tutorial in the next section for a detailed workflow.

Lab diagram

Labs are secured to WWT customers and partners. Login to access.