What Is BOLA?

BOLA (Broken Object-Level Authorization) is the #1 OWASP API Security Top-10 risk. It occurs when an application checks that the user is authenticated but fails to verify that they own (or can access) the specific resource they're requesting. The classic shape: GET /api/users/123 returns user 123's data, but with a valid auth token for user 456 the same request still works.

Authorization at the object level requires resource-aware checks — the application must know that resource 123 belongs to user A and reject access from user B. Authentication frameworks handle "is this a logged-in user" cleanly, but resource ownership is application-specific. Developers often defer this check to the database query (filter by user_id) and forget the explicit guard in the controller. When the query later changes, the implicit protection disappears.

The exploitation planner creates two authenticated sessions in different user contexts during scope intake. For every endpoint that accepts a resource identifier (path parameter or query string), the validator constructs a follow-up request from session B against session A's resource and confirms whether the response leaks data. If yes — the finding ships with both the unauthorised request and the leaked data redacted.

Add an explicit ownership check in every controller that accepts a resource identifier: if (resource.owner_id != current_user.id) return 403. Use ABAC/RBAC libraries that fail closed. Consider opaque resource identifiers (UUIDs over sequential IDs) as defence-in-depth — not a fix on its own.

Related terms

Try SQUR

60-second free attack-surface scan. No signup, no credit card.