Skip to content

BOLA protection

The BOLA protection section of the Wallarm Console UI enables you to configure mitigation of BOLA (IDOR) attacks targeted at the API endpoints explored by the API Discovery module.

This section is available under the following conditions:

  • The API Discovery module is enabled
  • The user role is either Administrator or Global Administrator

    The section is also availabe in read-only mode for Analysts and Global Analysts.

Variations of BOLA mitigation

BOLA mitigation is available in the following variations:

  • Automated mitigation for the endpoints explored by the API Discovery module (the UI for configuration is covered in this article)
  • Mitigation for any endpoints protected by the Wallarm nodes - this option is configured manually via the corresponding trigger

Find more details in the general instructions on BOLA (IDOR) protection.

Configuring automated BOLA protection

For Wallarm to analyze endpoints explored by the API Discovery module for BOLA vulnerabilities and protect those that are at risk, turn the switch to the enabled state.

BOLA trigger

Then you can fine-tune the default Wallarm behavior by editing the BOLA autodetection template as follows:

  • Change the threshold for requests from the same IP to be marked as the BOLA attacks.

  • Change the reaction when exceeding threshold:

    • Denylist IP - Wallarm will denylist the IPs of the BOLA attack source and thus block all traffic these IPs produce.
    • Graylist IP - Wallarm will graylist the IPs of the BOLA attack source and thus block only malicious requests from these IPs and only if the filtering node is in the safe blocking mode.

BOLA trigger

Automated BOLA protection logic

Once BOLA protection is enabled, Wallarm:

  1. Identifies API endpoints that are most likely to be the target of BOLA attacks, e.g. those with variability in path parameters: domain.com/path1/path2/path3/{variative_path4}.

    This stage takes a period of time

    Identification of vulnerable API endpoints takes a period of time required for deep observation of discovered API inventory and incoming traffic trends.

    Only API endpoints explored by the API Discovery module are protected against BOLA attacks in the automated way. Protected endpoints are highlighted with the corresponding icon.

  2. Protects vulnerable API endpoints against BOLA attacks. The default protection logic is the following:

    • Requests to a vulnerable endpoint exceeding the 180 requests threshold from the same IP per minute are considered BOLA attacks.
    • Only register BOLA attacks in the event list when the threshold of requests from the same IP is reached. Wallarm does not block BOLA attacks. Requests will keep going to your applications.

      The corresponding reaction in the autoprotection template is Only register attacks.

  3. Reacts to changes in API by protecting new vulnerable endpoints and disabling protection for removed endpoints.

Disabling automated BOLA protection

To disable automated BOLA protection, turn the switch to the disabled state in the BOLA protection section.

Once your API Discovery subscription is expired, automated BOLA protection is disabled automatically.