Modern cloud-based applications face significant threats from Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA).

These vulnerabilities emerge from inadequately tested and undocumented APIs, which are primarily designed for frontend frameworks to manage state synchronization between client devices and application servers.

Attackers exploit these vulnerabilities by reverse-engineering these APIs and manipulating data payloads. This process enables them to uncover authorization flaws, permitting them to use legitimate credentials to access privileged information from unrelated accounts.

Currently, the challenge is exacerbated by AI-driven 'agents.' These programs autonomously interact with applications on users' behalf, increasing the potential for BOLA/BFLA exploitation.

Learning Objectives:

• At the end of this session, participants will be able to understand the structure of Broken Object Level Authorization (BOLA)/Broken Function Level Authorization (BFLA) exploits and comprehend the potential severity of their impact on applications
• At the end of this session, participants will be able to apply methods to detect BOLA/BFLA vulnerabilities within their applications and understand how attackers may identify these vulnerabilities to exploit them
• At the end of this session, participants will be able to demonstrate strategies for monitoring and preventing BOLA/BFLA vulnerabilities in order to enhance the security posture of their applications