AP 104: Broken Object-Level Access (BOLA) (10 pts extra)

What You Need


To add more requests to the crAPI collection, and find a BOLA (Broken Object-Level Access) vulnerability.

Connecting to crAPI

Open Burp. Click the Proxy tab. Click the Intercept tab.

Click the "Intercept is on" button so it changes to "Intercept is off".

Click the "Open Browser" button.

In Burp's browser, go to

https://crAPI.samsclass.info The crAPI login page opens, as shown below.

Logging In

In Burp's browser, log in to crAPI with any account. If you don't have account credntials handy, click SignUp and create a new account.

You see the "Vehicles Details" page, as shown below.

Reading Your Email

Open this page:

http://crAPId.samsclass.info:18025 Open the email to your address with a subject of "Welcome to crAPI".

Find your VIN and Pincode, as shown below.

Adding a Vehicle

At the top right, click the "+ Add a Vehicle" button.

Enter the VIN and Pincode from your email, and click "Verify Vehicle Details".

Click OK.

The Vehicle Details page opens, as shown below.

Locating your Vehicle

At the bottom of the Vehicle Details page, click the "Refresh Location" button.

The Google Map updates with the location of your vehicle.

In Burp, on the HTTP History tab, find this request:

GET /identity/api/v2/vehicle/e7351296-7939-4c5b-acf0-96f65c7d12c3/location

The long number is the vehicle GUID and yours will be different from the example above.

The location is sensitive data--you should not be allowed to learn the location of a different owner's vehicle.

Right-click this request and click "Send to Repeater".

Posting to the Community

In the Burp browser, at the top, click Community. Click the "New Post" button, and add a new post with any title and comment you choose.

A box pops up saying "Post Created". Click OK.

Examining the Recent Posts Request

In Burp, examine the request:

GET /community/api/v2/community/posts/recent

On the Response tab, scroll down and find another person's vehicleid, outlined in red in the image below.

Getting Another GUID

In Burp, on the Repeater tab, change the vehicleid to the other value, outlined in red in the image below.

Send the request. As shown below, the location of the other person's vehicle is returned, with their name. This is a Broken Object-Level Authorization (BOLA) vulnerability!

Flag AP 104.1: Message (10 pts)

Send the request. The flag is covered by a green rectangle in the image below.


Hacking APIs

Posted 5-6-22
Flag changed 7-18-23