Broken Object Level Authorization (BOLA)

BOLA is what happens when your API trusts the caller to only request their own data. You send GET /api/orders/1001 and get back your order. Change it to /api/orders/1002 and you get someone else's. The API never checks whether that order belongs to you.

It's essentially the same bug as IDOR, but in the context of APIs specifically. The OWASP API Security project broke it out as its own category — API1:2023 — because APIs make this mistake constantly. REST endpoints map directly to database objects, and without explicit ownership checks, every endpoint is a potential data leak.

BOLA isn't just about reading data. Write-side BOLA is equally dangerous: PUT /api/orders/1002 with a modified body lets an attacker change someone else's order, update their profile, or cancel their subscription.

A BOLA vulnerability requires an API endpoint that accepts a user-controlled object reference — typically an ID in the URL path or query string — and performs an operation on that object without verifying the caller's relationship to it.

Here's a typical vulnerable Express API handler:

When you prompt an AI to build a REST API, it generates clean CRUD routes that work. The problem is that "works" means "returns the right data when you send the right ID." Nobody prompted it to think about what happens when someone sends the wrong one.

• REST conventions map IDs directly to rows. AI models follow REST patterns faithfully — GET /resource/:id fetches by primary key. Authorization is never part of the REST convention itself.
• Ownership logic is app-specific. The model doesn't know that orders belong to users, or that users belong to organizations. It can't infer your data ownership model from a feature prompt.
• Middleware patterns are rarely generated unprompted. Authorization middleware requires forethought — defining policies, applying them consistently across routes. AI generates routes one at a time and rarely adds cross-cutting concerns.

BOLA has been the #1 API vulnerability in the OWASP API Security Top 10 for both the 2019 and 2023 editions. It shows up everywhere because it's the gap between "the API works" and "the API is secure" — and AI code generators consistently stop at the first part.

Flowpatrol tests for BOLA the way a real attacker would — by creating multiple users and trying to access each other's data through your API:

1. 1Registers multiple test accounts with separate sessions and distinct authorization contexts.
2. 2Maps your API surface by intercepting requests during normal usage and identifying every endpoint that accepts an object ID.
3. 3Swaps object references between sessions — takes User A's order ID and requests it with User B's auth token.
4. 4Flags successful cross-access with the exact request, response data, and a concrete fix for the affected endpoint.

Most scanners check for missing auth headers or known CVEs. Flowpatrol checks whether your API actually enforces ownership — the thing that matters.