Researchers at Palo Alto Networks have developed a groundbreaking methodology called BOLABuster that harnesses the power of large language models (LLMs) to automate the detection of Broken Object Level Authorization (BOLA) vulnerabilities in APIs. This innovative approach addresses a critical gap in cybersecurity, tackling a class of vulnerabilities that has long eluded traditional automated detection methods.
BOLA, which stands at the top of the OWASP Top 10 API Security Risks, occurs when an API fails to properly validate user permissions for accessing, modifying, or deleting data objects. Despite its prevalence and the severe security breaches it can cause, BOLA has remained notoriously difficult to detect automatically. Unlike vulnerabilities like XSS, CSRF, and SQL injections, which often have identifiable patterns, BOLA relies on complex application logic and stateful interactions, making it a unique challenge for security tools.
Example of BOLA vulnerability. Source
The BOLABuster methodology, developed by Ravid Mazon and Jay Chen of Palo Alto Networks’ Unit 42 team, leverages the advanced reasoning capabilities of LLMs to automate tasks that typically require manual intervention by security experts. The system analyzes API specifications in OpenAPI format to understand application logic, identify endpoint dependencies, generate test scripts, execute tests, and interpret results.
The process involves five key stages:
- Identifying Potentially Vulnerable Endpoints (PVEs)
- Uncovering Endpoint Dependencies
- Generating Execution Paths and Test Plans
- Creating Test Scripts
- Executing Plans and Analyzing Results
By combining AI-driven analysis with heuristics, BOLABuster enables fully automated BOLA detection at scale, a feat previously thought impractical or impossible.
The effectiveness of this new approach has been demonstrated through the discovery of multiple vulnerabilities in popular open-source projects. Notable findings include:
- CVE-2024-1313 in Grafana, allowing low-privileged users to delete dashboard snapshots from other organizations
- CVE-2024-22278 in Harbor, enabling users with Maintainer roles to perform admin-level actions
15 vulnerabilities (CVE-2023-3285 to CVE-2023-3290 and CVE-2023-38047 to CVE-2023-38055) in Easy!Appointments, potentially leading to unauthorized access and full system compromise
These discoveries highlight the potential of AI-assisted vulnerability detection in identifying critical security flaws that might otherwise go unnoticed.
The implications of this research extend beyond BOLA detection. The methodology developed by the Palo Alto Networks team could potentially be adapted to identify other types of vulnerabilities, opening new avenues for automated security research. As AI technology continues to advance, similar approaches may enable a range of security initiatives previously considered impractical.
However, the researchers caution that this technology is a double-edged sword. While it empowers defenders to enhance their security measures, adversaries could potentially exploit similar AI-driven techniques to discover zero-day vulnerabilities more rapidly and escalate cyberattacks.
“The concept of fighting AI with AI has never been more relevant,” stated the research team. “It is imperative for the cybersecurity community to remain vigilant and proactive in developing strategies to counteract potential threats posed by AI.”
As the team continues to refine and expand their research, they are proactively hunting for BOLA vulnerabilities in the wild. All discovered vulnerabilities are being responsibly disclosed to the appropriate vendors.
This breakthrough in AI-assisted BOLA vulnerability detection demonstrates the potential for AI to serve as a powerful ally in identifying and mitigating complex security risks.