GuardAPI Logo
GuardAPI

Fix BOLA (Broken Object Level Authorization) in CherryPy

BOLA (Broken Object Level Authorization) is the most exploited API vulnerability. In CherryPy, it manifests when you expose a resource ID in a URL and fetch the object without verifying if the authenticated user has the rights to access it. If your app relies solely on IDs provided by the client, you're wide open to IDOR attacks. As a researcher, my goal is to ensure that every object access is scoped strictly to the session-authenticated identity.

The Vulnerable Pattern

import cherrypy

class UserProfile:
@cherrypy.expose
@cherrypy.tools.json_out()
def get_profile(self, profile_id):
# VULNERABLE: The profile_id is taken directly from the URL
# No check is performed to see if the logged-in user owns this profile.
profile = db.execute(‘SELECT * FROM profiles WHERE id = %s’, (profile_id,)).fetchone()
return profile

The Secure Implementation

The fix involves two critical steps. First, you must identify the requester using server-side session data (cherrypy.session), never trust a user_id sent in the request body or URL. Second, you must enforce authorization at the database layer by adding the owner_id to your WHERE clause. If the query returns no results, it means either the object doesn't exist or the user doesn't own it; in both cases, return a 404 Not Found to prevent ID enumeration and data leakage.

import cherrypy

class UserProfile:
@cherrypy.expose
@cherrypy.tools.json_out()
def get_profile(self, profile_id):
# SECURE: Retrieve the authenticated user’s ID from the session
current_user_id = cherrypy.session.get(‘user_id’)
if not current_user_id:
raise cherrypy.HTTPError(401, ‘Unauthorized’)


    # SECURE: Bind the query to both the resource ID AND the owner ID
    profile = db.execute(
        'SELECT * FROM profiles WHERE id = %s AND owner_id = %s',
        (profile_id, current_user_id)
    ).fetchone()

    if not profile:
        # Return 404 to avoid revealing the existence of other users' data
        raise cherrypy.HTTPError(404, 'Profile not found')
        
    return profile</code></pre>
System Alert • ID: 3412
Target: CherryPy API
Potential Vulnerability

Your CherryPy API might be exposed to BOLA (Broken Object Level Authorization)

74% of CherryPy apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X