Question 1

What is Broken Object-Level Authorization (BOLA)?

Accepted Answer

BOLA, also known as Insecure Direct Object Reference (IDOR), occurs when an API endpoint does not verify that the authenticated user has permission to access the requested object. Attackers simply change object IDs in API requests (like /api/users/123 to /api/users/124) to access other users' data, orders, or resources without authorization.

Question 2

How do I prevent BOLA/IDOR vulnerabilities?

Accepted Answer

Implement authorization checks on every API endpoint that accesses objects. Verify the authenticated user owns or has permission to access each requested resource, use UUIDs instead of sequential IDs, implement a centralized authorization mechanism, write authorization unit tests for every endpoint, and log all access attempts for monitoring.

Broken Object-Level Authorization

Challenges

Frequently Asked Questions