Platform Features
By Need
By Industry
Partner Program
Our Partners
Key Alliances
Resource Center
Key Takeaway
The ability to access multiple credentials in an API is known as Broken Object Level Authorization (BOLA). BOLA is ranked number one on the OWASP API Top 10 security risks. BOLA is the top threat to API security because it is so hard to discover. The only way to detect this kind of issue is to look at not only the request and responses, but at the series of requests.
Broken Object Level Authorization, or BOLA, is the top API security threat on the OWASP API Security Top 10. It occurs when an attacker can successfully request a data object that should be restricted.
Broken Object Level Authorization is a type of access control vulnerability that allows an attacker to perform actions on a resource that they do not own or have permission to access. APIs, whether they are RESTful or GraphQL, often follow the CRUD (Create, Read, Update, Delete) model for resource manipulation. BOLA occurs when an attacker can create, read, update, or delete a resource that belongs to another user.
Broken Object Level Authorization vulnerabilities can have various implications depending on the API’s business logic. Here are a few practical examples:
The impact of a Broken Object Level Authorization vulnerability can range from minor to severe, depending on the nature of the API and the sensitivity of the resources being accessed.
APIs expose a large attack surface, with multiple endpoints for different CRUD operations. As APIs grow larger and more complex, the number of endpoints increases, making it challenging to ensure proper access control for each resource. Additionally, APIs often use easily recognizable IDs, making it easier for attackers to predict or manipulate resource identifiers.
To address Broken Object Level Authorization vulnerabilities effectively, developers should consider the following best practices:
To enhance API security, runtime protection and security testing can be employed. Runtime protection platforms, like Noname Security, analyze real-time traffic to detect and block API attacks. Security testing allows developers to identify and address API vulnerabilities like Broken Object Level Authorization during the development lifecycle, before they are deployed.
After four long years since the original guidelines were created, the Open Web Application Security Project (OWASP) has now updated their Top 10…
Learn four critical gaps of commonly used tools such as WAFs and gateways as well as what it takes to build a comprehensive API security program.
Now that the OWASP API Security Top 10 has seen its second release, we’ll discuss the changes from the previous version, dive into each category…
Broken Object Level Authorization, or BOLA, is the top API security threat on the OWASP API Security Top 10. It occurs when an attacker can successfully make a request for a data object that should be restricted.
Attackers and penetration testers look for BOLA vulnerabilities by inspecting API traffic for data that appears to be an ID or identifier for some data used by the API. Generally, these IDs are numeric but can also be strings (a set of characters) or a universally unique identifier (UUID).
Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) are two security vulnerabilities that can occur when using web applications. BOLA is a vulnerability where an attacker can access data or functions that should be restricted, while BFLA is a vulnerability where an attacker can bypass the authorization process and gain access to restricted functions. Both of these issues can lead to serious security risks if not addressed properly.
John Natale
Senior Manager of Content Marketing
John Natale leads content marketing at Noname Security.
All John Natale posts All of John Natale's postsExperience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.
Certified for your security needs.
