- Lab
-
Libraries: If you want this lab, consider one of these libraries.
- Security
Broken Object Level Authorization (BOLA)
In this lab, you are stepping into the role of an Application Security Engineer tasked with auditing and securing a core microservice for an enterprise platform. The application uses a Spring Boot backend, manages access through JSON Web Tokens (JWTs), and handles individual profile management for standard users. Recently, a routine code review flagged a critical security flaw in how user profiles are accessed and modified. While the backend correctly validates that an incoming request contains a valid JWT, it blindly trusts the identifier (`{id}`) provided in the URL path. It fails to verify whether the authenticated user actually owns or has permission to access that specific resource. This design flaw introduces a classic Broken Object Level Authorization (BOLA) vulnerability, formerly known as an Insecure Direct Object Reference (IDOR). Your objective is to investigate the vulnerability, safely demonstrate how it can be exploited to access and modify another user's data, and implement a remediation that enforces proper ownership validation before access is granted. #### What You'll Learn By the end of this lab, you will be able to identify and exploit a Broken Object Level Authorization (BOLA) vulnerability, understand why authentication alone is insufficient to protect sensitive resources, and implement object-level authorization checks to prevent unauthorized access and modification of user data.
Lab Info
Table of Contents
-
Challenge
Implement a REST controller that exhibits the BOLA vulnerability
In this objective, you will work in a sandboxed environment with no internet access and interact with the application exclusively through the local interface at
127.0.0.1:8080. As you examine the vulnerable API endpoints, you will observe how an attacker can retrieve an entire user object without proper authorization checks. Finally, you will execute a series of tests to expose and validate the Broken Object Level Authorization (BOLA) vulnerability. -
Challenge
Implement a BOLA fix
In this objective, you will work through the steps required to remediate the Broken Object Level Authorization (BOLA) vulnerability. You will examine how the authenticated user's identity can be retrieved from the Spring Security context and how ownership validation checks can be used to restrict access to authorized resources. Finally, you will apply the remediated implementation and retest the application to confirm that the vulnerability has been successfully resolved.
Real skill practice before real-world application
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.
Learn by doing
Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.
Follow your guide
All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.
Turn time into mastery
On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.