api-security icon indicating copy to clipboard operation
api-security copied to clipboard
verified publisher icon andifalk

BOLA: Error accessing vehicle that I should have access to

Open douglundin opened this issue 5 months ago • 0 comments

API1:2023 Broken Object Level Authorization

Step 2: The secure way

After setting Postman's environment to Secure, I was able to successfully authenticate against the Custom Authorization Server and generate the bearer_token using OAuth 2.0 protocol. Then, I pasted the bearer_token into the variable of the same name.

When I try to enumerate getting a vehicle from http://localhost:9091/api/v1/vehicles/{vehicle_id}, e.g. http://localhost:9091/api/v1/vehicles/1

I get the following error: { "timestamp": "2025-08-10T19:03:03.765+00:00", "status": 400, "error": "Bad Request", "message": "Method parameter 'vehicleIdentifier': Failed to convert value of type 'java.lang.String' to required type 'java.util.UUID'; Invalid UUID string: 1", "path": "/api/v1/vehicles/1" }

I get the same error with vehicle 2 & 3.

douglundin avatar Aug 10 '25 19:08 douglundin