Broken Object Level Authorization (BOLA)

Broken Object Level Authorization (BOLA) is an API vulnerability where the application fails to verify that the requesting user has permission to access or modify a specific object, allowing attackers to access other users' data by manipulating object identifiers.

How It Works

APIs often expose endpoints that accept object IDs as parameters. If the API doesn't verify that the authenticated user owns or has permission to access the referenced object, attackers can enumerate IDs to access unauthorized resources.

Vulnerable Example

# User requests their own order
GET /api/orders/1001
Authorization: Bearer user_token

# Response contains user's order
{"id": 1001, "user_id": 42, "total": 99.99, "items": [...]}

# Attacker changes order ID
GET /api/orders/1002
Authorization: Bearer user_token

# API returns another user's order (BOLA vulnerability!)
{"id": 1002, "user_id": 43, "total": 500.00, "items": [...]}

Attack Techniques

• Sequential ID enumeration (1001, 1002, 1003...)
• GUID/UUID guessing or enumeration
• Replacing IDs in nested objects
• Manipulating IDs in request bodies

Affected Operations

• Read: View other users' data
• Update: Modify other users' records
• Delete: Remove other users' resources

Prevention

• Always verify object ownership/permissions server-side
• Use unpredictable identifiers (UUIDs) - but still validate!
• Implement row-level security in database
• Log and monitor access patterns

See Also

• Insecure Direct Object Reference
• Broken Access Control
• Horizontal Privilege Escalation