保護DataHogo
Security Encyclopedia/OWASP API Top 10
highCWE-639API1:2023

Broken Object Level Authorization (BOLA)

API endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.

How It Works

BOLA is the API equivalent of IDOR. API endpoints receive object identifiers (IDs) in requests but don't verify that the authenticated user has permission to access that specific object. An attacker simply changes the ID in the request to access another user's data. This is the #1 API vulnerability because it's extremely common and easy to exploit — just increment the ID in the URL or request body.

Vulnerable Code
// GET /api/orders/:id
app.get('/api/orders/:id', auth, async (req, res) => {
  const order = await Order.findById(req.params.id);
  res.json(order); // No ownership check!
});
Secure Code
// GET /api/orders/:id
app.get('/api/orders/:id', auth, async (req, res) => {
  const order = await Order.findOne({
    _id: req.params.id,
    userId: req.user.id // Ownership check
  });
  if (!order) return res.status(404).json({ error: 'Not found' });
  res.json(order);
});

Real-World Example

In 2023, a BOLA vulnerability in a major US telecom API allowed attackers to access any customer's account data by changing the account number in API requests. Over 37 million customer records were exposed.

How to Prevent It

  • Always include user ownership in database queries
  • Use UUIDs instead of sequential IDs to make guessing harder
  • Implement authorization middleware that checks object ownership
  • Write integration tests that verify cross-user access is blocked

Affected Technologies

Node.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Authentication (API)

high

API authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.

CWE-287API2:2023

Broken Object Property Level Authorization

medium

API allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.

CWE-915API3:2023

Unrestricted Resource Consumption

medium

API endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.

CWE-770API4:2023

Broken Function Level Authorization

high

Admin or privileged API endpoints accessible to regular users — missing role checks allow privilege escalation to administrative functions.

CWE-285API5:2023