BROKEN OBJECT LEVEL AUTHORIZATION / BOLA
defined.

What is Broken Object Level Authorization (BOLA)?

BOLA is the #1 risk on the OWASP API Security Top 10. It occurs when an authenticated user can swap an ID in a request and receive data belonging to a different user. The bug isn't authentication — the user is authenticated — it's authorization: the server doesn't verify which object the user is asking for.

Why it matters: BOLA leaks customer data quietly and at scale. Scanners cannot find it because legitimate-looking requests pass technical checks; only manual testing across user roles uncovers it.

Defence: implement object-level authorization in every resolver / controller. Don’t trust the ID in the request; look up what the authenticated subject is allowed to see.

Related terms.

• Insecure Direct Object Reference (IDOR)
• Broken Function Level Authorization (BFLA)
• Server-Side Request Forgery (SSRF)
• JSON Web Token (JWT)
• OWASP Top 10

Where this shows up.

See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.