API1:2023 Demonstrating BOLA Exploitation in crAPI

In this hands-on lab, you will explore the exploitation of Broken Object Level Authorization (BOLA) vulnerabilities within the crAPI application. This exercise is designed to provide practical experience in identifying and manipulating API requests to gain unauthorized access to data. Using tools such as Burp Suite, Postman, and FoxyProxy, you will intercept and alter API calls to demonstrate the impact of BOLA vulnerabilities.

The lab will guide you through:

1. Setting up your environment with Burp Suite and FoxyProxy.

2. Registering a new user and adding a vehicle in crAPI.

3. Intercepting and analyzing API calls.

4. Using Burp Suite's Intruder module to perform a fuzzing attack.

5. Demonstrating unauthorized access to other users' data.

Refer to the video tutorial in the next section for a detailed workflow.

The primary goal of this hands-on lab is to equip participants with the skills and knowledge necessary to identify, exploit and understand Broken Object Level Authorization (BOLA) vulnerabilities within an API context.

1 x Windows Jumpbox (Postman, Burpsuite)

1 x Ubuntu Server (crAPI Application)