A Deep Dive On The Most Critical API Vulnerability — BOLA (Broken Object Level Authorization)

Intro

For Managers — How To Understand BOLA

How Can We Mitigate BOLA Today?

For Engineers — A Deeper Dive On BOLA

Resources In Modern Applications

API Endpoints And Resources

API Endpoints And Objects ID

The Challenge

The Exploit

For Builders — How To Build A Good Authorization Mechanism

For Breakers — How To Exploit BOLA

How To Think

How To Test:

Tips & Tricks:

How to bypass object level authorization:

Q&A For Curious Engineers

Q: What is the object ID?

Q: Are there different types of BOLA?

Q: Why is it so common in modern applications?

Q: What solutions don’t solve the problem?

Q: Why did we change the name from IDOR to BOLA?

I love to learn, build and break things. Head of Security Research @ Traceable.ai; Security Consultant @ Tangent Logic