Broken Object Level Authorization (BOLA)

BOLA, also known as Insecure Direct Object Reference (IDOR) in the context of APIs, consistently ranks as the number one API security risk in the OWASP API Security Top 10. It occurs when an API endpoint accepts an object identifier from the client (such as a user ID, order number, or document ID) and returns or modifies the corresponding object without verifying that the requesting user is authorized to access it.

For example, if an API endpoint GET /api/users/123/orders returns orders for user 123, a BOLA vulnerability exists if user 456 can change the ID to 123 and retrieve another user's orders. These vulnerabilities are extremely common because modern APIs tend to expose object identifiers in URLs and request bodies, and authorization logic must be implemented for every endpoint individually.

Preventing BOLA requires implementing robust authorization checks at the object level for every API endpoint that accesses resources using client-supplied identifiers. Best practices include using the authenticated user's session context to determine ownership, implementing a centralized authorization layer rather than per-endpoint checks, using unpredictable identifiers like UUIDs instead of sequential integers, writing comprehensive authorization test cases, and logging all access attempts for anomaly detection. Automated API security testing tools can help discover BOLA vulnerabilities by replaying requests with different user contexts.