High Severity | OWASP API Top 10
🟠 API IDOR / Broken Object Level Authorization (BOLA)
🧠 Description
API exposes endpoints that access object references (database IDs, file names) without proper authorization. Users can access resources belonging to other users.
Impact: Data Theft, Horizontal Privilege Escalation, Data Modification
🔍 Detection
- Identify object references in API responses
- Modify IDs in URLs, headers, or body
- Test with different user accounts
- Check API versioning for bypasses
💣 BOLA Payloads
GET /api/users/123 → /api/users/124
GET /api/orders/5 → /api/orders/6
{"user_id": 123} → {"user_id": 124}
X-User-ID: 123 → X-User-ID: 124
🛡️ Mitigation
✅ Implement authorization checks for every endpoint
✅ Validate object ownership server-side
✅ Use indirect references (mapping IDs)
✅ Log all unauthorized access attempts
✅ Validate object ownership server-side
✅ Use indirect references (mapping IDs)
✅ Log all unauthorized access attempts