Broken Object Level Authorization

Check List

Create two accounts on the target (Account A = yours, Account B = second/test account)

Perform any action with Account A that returns or uses an object ID, Common places

Your profile → returns "id": 12345
Your orders → /api/orders/9876
Your files → /files/abc-xyz-111
Your settings → /api/v1/users/852

Collect every ID you see in responses (numeric, UUID, base64, hashed, username-based, etc.)

Switch to Account B (or log out completely) and repeat the exact same requests but replace the ID with the one from Account A

If you can view, modify, or delete Account A’s resource → BOLA confirmed

Last updated 2 days ago