This post is also available in: 日本語 (Japanese)
Palo Alto Networks has been actively researching and developing security capabilities using AI. In an effort to audit web applications for Broken Object-Level Authorization (BOLA) vulnerabilities, Unit 42 researchers developed an automated BOLA detection tool leveraging GenAI.
In 2023, we used our tool to test an open-source project, Easy!Appointments, and found 15 BOLA vulnerabilities. We notified the vendor, who has since patched the vulnerabilities. The number of issues we found highlights the prevalence of BOLA vulnerabilities in API applications and underscores the importance of continuously scrutinizing software for these potentially severe issues.
Easy!Appointments is a popular tool used for scheduling and managing appointments, as well as synchronizing data with widely used calendar services. The vulnerabilities we discovered allow low-privileged and logged in users (such as customers) to view and manipulate appointments created by more privileged users (such as providers and admins).
The vulnerabilities we discovered, tracked as CVE-2023-3285 to CVE-2023-3290 and CVE-2023-38047 to CVE-2023-38055, all affect different API endpoints. They have been assigned CVSS scores ranging from 5 to 9.9, with seven vulnerabilities scoring 9.9.
Upon discovering these vulnerabilities, we collaborated closely with the maintainers to patch all the issues in the latest version 1.5.0. To mitigate the risks, organizations are advised to upgrade to Easy!Appointments version 1.5.0 or later immediately. Please reach out to [email protected] for more information on updating to the latest version.
Cortex Xpanse and Cortex XSIAM customers with the ASM module are able to detect all exposed Easy!Appointments instances as well as known insecure instances via targeted attack surface rules.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Related Unit 42 Topics | API Attacks, BOLA |
Broken object-level authorization (BOLA), also known as insecure direct object references (IDOR), is a prevalent type of vulnerability in modern APIs and web applications. It is ranked as the top risk in the OWASP API top 10 and the fourth most reported vulnerability type in the HackerOne Global Top 10.
As explained in another recent article on a BOLA vulnerability, BOLA occurs when an application fails to properly check if a user has the necessary permissions to access, modify or delete an object. The term object in this context refers to various types of data within a system, examples of which include messages, photos, trips, user profiles and invoices.
Attackers can exploit BOLA vulnerabilities in API endpoints by altering object identifiers within requests. Such manipulations can lead to unauthorized access to user data, resulting in data leaks, manipulation of data or even complete account takeovers.
While manually looking for BOLAs is generally straightforward, automating this process is challenging. Testing for BOLA has historically been performed manually due to the complexity of web applications' workflow and business logic, along with the stateful nature of modern web applications.
Researchers at Palo Alto Networks are actively developing new technology that leverages AI to automate the detection of BOLA vulnerabilities. We're internally using these AI detection operations to allow us to test new advancements daily.
Our most recent disclosed vulnerability was CVE-2024-1313, a BOLA vulnerability in Grafana, an open-source project with over 20 million users.
Easy!Appointments is an open-source web application designed for scheduling appointments. It is highly customizable, allowing integration with existing websites and synchronization with Google Calendar and CalDAV servers.
The software is free and supports commercial use, targeting professional users through premium services. It is popular among large organizations and a committed developer community maintains it.
Easy!Appointments features a permissions system for different user roles. Every role except admin is considered low-privileged.
This section outlines the 15 vulnerable API paths uncovered in our research. Most of these vulnerabilities are exploitable through APIs, not UI consoles. Each path may be vulnerable to one or multiple HTTP methods, such as GET, POST, PUT and DELETE.
The lack of sufficient checking and validation of caller identities at the backend makes most API endpoints vulnerable to BOLA. Among the 15 CVEs identified, nine are rated as Critical severity (CVSS 9.0 or higher), five as High severity (CVSS between 7.0-9.0), and one as Medium severity (CVSS between 4.0-6.9).
CVE-2023-38049
To illustrate the issue that underpins the vulnerabilities we identified, let’s look at CVE-2023-38049 as an example. A user with a secretary role could exploit the vulnerability to modify an arbitrary user's appointment. According to the official documentation, the secretary role is intended to perform organizational tasks only for their assigned providers.
In particular, a malicious secretary could perform GET, PUT and DELETE operations on the API path /appointments/{appointmentId} to modify another user's appointment. It is important to note that these operations cannot be performed by a secretary through the user interface. They can only be executed via API calls. This results in a discrepancy between the API and UI behavior.
We created an admin user and used it to create an appointment with appointment_id equal to 1. Figure 1 shows the response of GET /appointments/1 request. The response includes information such as the following:
This data is sensitive and should only be accessible to the user who created the meeting.
We then used a low-privileged secretary user to manipulate the appointment created by the admin user through the vulnerable endpoint, PUT /appointments/{appointmentId}. Figure 2 shows the HTTP requests sent with the secretary user.
Figure 3 shows the appointment being modified with different start and end times, location, and identities of the provider and customer. Despite these changes, the appointment hash remained unchanged, giving the false impression that the original appointment was not altered.
As the use of APIs is increasing exponentially, so is the prevalence of API vulnerabilities and BOLA vulnerabilities in particular. This article details the 15 BOLA vulnerabilities Unit 42 researchers discovered in Easy!Appointments using a new automatic methodology that leverages AI. Due to the ease of exploitation and potential impacts of these vulnerabilities, we encourage affected organizations to update to the patched version as soon as possible.
Researchers at Unit 42 are committed to fortifying open-source software and innovating technology to discover new vulnerabilities more efficiently and effectively. Palo Alto Networks customers are better protected by our latest research findings and insights.
Cortex Xpanse and Cortex XSIAM customers with the ASM module are able to detect all exposed Easy!Appointments instances as well as known insecure instances via targeted attack surface rules.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team or call: