Broken Object Level Authorization, or BOLA, is an API security flaw where a system fails to enforce whether a user can access a specific object or record. It matters because authenticated users may gain access to other users’ data simply by changing an identifier.
What is Broken Object Level Authorization (BOLA)?
BOLA occurs when an API checks that a request is authenticated but fails to verify whether the caller is authorized to access the specific resource being requested. This is a common and serious API weakness because object identifiers are often easy to manipulate.
What BOLA Commonly Exposes
Common impacts include unauthorized access to customer records, documents, transactions, profiles, or internal data that should be restricted by ownership or tenancy.
BOLA vs. General Authentication Failure
Authentication failure means the caller is not verified. BOLA means the caller is authenticated but still not properly limited to the right objects.
Frequently Asked Questions
Why is BOLA dangerous?
Because it can expose large volumes of sensitive data through simple, repeatable requests made by otherwise valid users.
How do teams prevent BOLA?
By enforcing object-level authorization on every relevant request, testing for access-control flaws, and avoiding assumptions based only on obscured identifiers.
Related Cybersecurity Terms
