Broken Object Level Authorization (BOLA) is one of the most common vulnerabilities in modern APIs. Despite being well-documented in OWASP API Top 10, it still regularly appears in production systems.
This article explains how BOLA manifests in practice, what makes it dangerous, and why it is often missed during development and testing.
What Is Broken Object Level Authorization
BOLA Occurs When
- An API correctly authenticates a user
- But fails to verify whether that user is allowed to access a specific object
The core issue is not authentication. The issue is missing or incorrect authorization at the object level.
What Is an Object?
- User profile — Personal information and settings
- Order — Purchase history and transactions
- Database record — Any stored data entry
- Resource with ID — Any resource identified by an identifier
Typical API Architecture Where BOLA Appears
Most APIs follow a familiar pattern:
- User authentication via JWT or similar mechanisms
- Multiple endpoints working with object identifiers
- Centralized authentication middleware
In many cases, authentication is enforced globally, but authorization logic is either incomplete or inconsistent across endpoints.
This creates a false sense of security: "The endpoint is protected, so it must be safe." That assumption is often wrong.
How BOLA Manifests in Practice
In real systems, a BOLA vulnerability typically looks like this:
User Authenticated
A user is properly authenticated with valid credentials
Valid Token
A valid token is present in the request
Object Endpoint
The request targets an object-based endpoint
No Authorization Check
No ownership or permission check is performed
As a result, the API may return data belonging to a different user or entity. From a technical perspective, the request is valid. From a security perspective, this is a clear authorization failure.
Why BOLA Is Especially Dangerous
Unauthorized Access
Access to sensitive data without permission
Privilege Escalation
Horizontal privilege escalation attacks
Data Enumeration
Large-scale data enumeration and extraction
Compliance Violations
GDPR, SOC2, ISO 27001 violations
Critical Problem
- Automated scanners often do not detect BOLA
- Basic authentication tests pass
- Issues remain hidden until exploited
Common Reasons BOLA Slips Into Production
Root Causes
- False Assumption — Assuming authentication equals authorization
- Code Reuse — Reusing generic data-access logic without authorization checks
- Missing Reviews — Missing security reviews on object-based endpoints
- Incomplete Testing — Lack of negative test cases for authorization
These are process failures, not exotic bugs.
How BOLA Should Be Prevented
Effective Protection
- Explicit Checks — Explicit ownership checks on every object access
- Consistent Logic — Consistent authorization logic across all object-based endpoints
- Clear Separation — Clear separation between authentication and authorization
- Negative Testing — Testing authorization failures, not only success cases
Simply validating a token is not enough.
Conclusion
Broken Object Level Authorization is simple in concept but severe in impact.
It emerges not from complex exploits, but from missing checks in otherwise "working" APIs.
Understanding where object-level authorization must occur is critical for anyone building, testing, or securing APIs.
This topic is best understood through hands-on practice in controlled environments, rather than static examples or theoretical descriptions.
New to BOLA? Start with our beginner-friendly article What is BOLA? Broken Object Level Authorization Explained in Simple Terms to understand the concept before diving into real-world examples.