Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
How machines search for vulnerabilities better than humans.
Palo Alto Networks is actively developing security technologies using artificial intelligence. In 2023, the company's researchers created an automated tool for detecting BOLA (Broken Object-Level Authorization) vulnerabilities. This tool was applied to the Easy!open source project.Appointments, where 15 vulnerabilities were identified.
Easy!Appointments is a popular appointment management and scheduling app that syncs with Google Calendar and CalDAV. The vulnerabilities identified allowed low-privilege users to view and modify appointments created by more privileged users, such as administrators and service providers.
All vulnerabilities classified as CVE-2023-3285 to CVE-2023-3290 and CVE-2023-38047 to CVE-2023-38055 have been fixed in version 1.5.0. Organizations are strongly encouraged to update Easy!Appointments up to this version or later.
Among the detected problems: the ability to create and delete privileged users, change system settings, and manage other users ' data. For example, the vulnerability CVE-2023-38049 allows a low-privileged user to change or delete appointments created by an administrator.
The vulnerability detection tool is based on the use of artificial intelligence. This allows you to effectively identify BOLA vulnerabilities that are difficult to detect manually due to the complexity of the logic of modern web applications.
BOLA (Broken Object-Level Authorization), also known as IDOR (Insecure Direct Object References), is a common type of vulnerability in modern APIs and web applications. It ranks first in the OWASP API Top 10 risk rating and fourth among the most frequently reported vulnerabilities on the HackerOne platform.
BOLA occurs when the application does not check whether the user has the necessary permissions to access, modify, or delete an object. This can lead to data leaks, changes, or even complete account hijacking.
Source
Palo Alto Networks is actively developing security technologies using artificial intelligence. In 2023, the company's researchers created an automated tool for detecting BOLA (Broken Object-Level Authorization) vulnerabilities. This tool was applied to the Easy!open source project.Appointments, where 15 vulnerabilities were identified.
Easy!Appointments is a popular appointment management and scheduling app that syncs with Google Calendar and CalDAV. The vulnerabilities identified allowed low-privilege users to view and modify appointments created by more privileged users, such as administrators and service providers.
All vulnerabilities classified as CVE-2023-3285 to CVE-2023-3290 and CVE-2023-38047 to CVE-2023-38055 have been fixed in version 1.5.0. Organizations are strongly encouraged to update Easy!Appointments up to this version or later.
Among the detected problems: the ability to create and delete privileged users, change system settings, and manage other users ' data. For example, the vulnerability CVE-2023-38049 allows a low-privileged user to change or delete appointments created by an administrator.
The vulnerability detection tool is based on the use of artificial intelligence. This allows you to effectively identify BOLA vulnerabilities that are difficult to detect manually due to the complexity of the logic of modern web applications.
BOLA (Broken Object-Level Authorization), also known as IDOR (Insecure Direct Object References), is a common type of vulnerability in modern APIs and web applications. It ranks first in the OWASP API Top 10 risk rating and fourth among the most frequently reported vulnerabilities on the HackerOne platform.
BOLA occurs when the application does not check whether the user has the necessary permissions to access, modify, or delete an object. This can lead to data leaks, changes, or even complete account hijacking.
Source
