2024 Session
Fiesta 9/10
3:45 pm - 4:30 pm, Tuesday, September 24
The Call is Coming From Inside the House: API Abuse by Authenticated Users

Modern cloud-based applications face significant threats from Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA).

These vulnerabilities emerge from inadequately tested and undocumented APIs, which are primarily designed for frontend frameworks to manage state synchronization between client devices and application servers.

Attackers exploit these vulnerabilities by reverse-engineering these APIs and manipulating data payloads. This process enables them to uncover authorization flaws, permitting them to use legitimate credentials to access privileged information from unrelated accounts.

Currently, the challenge is exacerbated by AI-driven 'agents.' These programs autonomously interact with applications on users' behalf, increasing the potential for BOLA/BFLA exploitation.

Learning Objectives:

  • At the end of this session, participants will be able to understand the structure of Broken Object Level Authorization (BOLA)/Broken Function Level Authorization (BFLA) exploits and comprehend the potential severity of their impact on applications
  • At the end of this session, participants will be able to apply methods to detect BOLA/BFLA vulnerabilities within their applications and understand how attackers may identify these vulnerabilities to exploit them
  • At the end of this session, participants will be able to demonstrate strategies for monitoring and preventing BOLA/BFLA vulnerabilities in order to enhance the security posture of their applications
Get in touch
Get in touch
Customer Service
For any and all inquiries please click the button below
Speaking Opportunities

Tim Garon
Director, Event Content and Strategy

InfoSec World
Stay Informed
Join our mailing list for the latest news on InfoSec World 2024.