πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Broken Object Level Authorization

Broken Object Level Authorization (BOLA) allows attackers to manipulate object identifiers in API requests to gain unauthorized access to data belonging to other users.

Remediation

  • Enforce server-side authorization checks for every object access request based on the authenticated user’s permissions.
  • Validate object identifiers against the authenticated session context before processing.
  • Avoid exposing predictable or sequential object IDs; use UUIDs or opaque references.

Metadata

  • Severity: high
  • Slug: broken-object-level-authorization

CWEs

  • 639: Authorization Bypass Through User-Controlled Key
  • 284: Improper Access Control
  • 285: Improper Authorization

OWASP

  • A01:2021: Broken Access Control
  • API1:2023: Broken Object Level Authorization
Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.