Broken Object Level Authorization

Broken Object Level Authorization (BOLA) is consistently ranked as the number one risk in the OWASP API Security Top 10. It occurs when an API endpoint exposes object identifiers (such as database IDs, UUIDs, or filenames) and fails to verify whether the authenticated user is authorized to perform the requested operation on that specific object. This allows attackers to access or modify resources belonging to other users by simply changing the identifier in the request.

This vulnerability is distinct from broken authentication (where the attacker's identity is not verified) and broken function-level authorization (where the attacker accesses administrative functions). BOLA specifically targets the relationship between a user and individual data objects. It is prevalent because developers often implement authentication and role-based access control but forget to check ownership or object-level permissions.

Common exploitation scenarios include changing a numeric ID in a URL path (e.g., /api/invoices/1001 to /api/invoices/1002), modifying UUIDs in request bodies, manipulating query parameters that reference objects, and exploiting GraphQL queries to traverse object relationships. Prevention requires implementing authorization checks for every object access, using the authenticated session context to determine permissions, centralizing authorization logic in middleware or policy engines, using automated testing to verify access controls across all endpoints, and preferring indirect object references that are scoped to the current user's session rather than global identifiers.