BOLA Vulnerabilities: The Complete 2025 Guide for Developers and Pentesters

What is BOLA?

Broken Object Level Authorization (BOLA), also known as IDOR (Insecure Direct Object Reference), occurs when an API endpoint receives an object identifier and uses it to access a data object without proper authorization checks. It is consistently ranked #1 in the OWASP API Security Top 10.

How Attackers Exploit BOLA

The attack is simple: an attacker authenticates as User A, then replaces their own object ID in an API request with another user's ID. If the server only checks authentication (is this a valid session?) but not authorization (does this session BELONG to this object?), the attacker gains access to another user's data.

Real Example from Our Engagements

During a 2024 neobank assessment, we found the endpoint GET /api/v2/accounts/{account_id}/transactions accepted any valid account ID from any authenticated user. By iterating account IDs, we could access complete transaction history for all 2 million customers — just by changing a number in the URL.

Detection Methodology

Our testing approach for BOLA includes: mapping all object-referencing endpoints, creating two test accounts, making requests from Account A using Account B's object IDs, testing both horizontal (same privilege) and vertical (different privilege) access, and testing indirect references like slugs and usernames in addition to numeric IDs.

Fix Patterns

The fix requires implementing object-level authorization on every endpoint. In Node.js/Express: if (resource.userId !== req.user.id) return res.status(403).json({ error: 'Forbidden' });