For this Cybersecurity Awareness Month, we thought it important to draw attention to some of the most common and dangerous API vulnerabilities. 

This week, we’re starting with Broken Object Level Authorization (BOLA). 

BOLA vulnerabilities top the OWASP API Top Ten. And for good reason: they’re startlingly prevalent, remarkably easy to exploit, and can have devastating consequences. 

So, let’s explore what they are, why they matter, and how you can mitigate them. 

What is a BOLA Vulnerability?

As the name suggests, BOLA vulnerabilities occur when object level authorization breaks.

Object level authorization is an access control mechanism that validates that a user can access the objects they should have permissions to access. 

When an API endpoint receives the ID of an object and performs any action on it, it should implement object-level authorization checks. When working properly, these checks validate that the authenticated user has permission, i.e. authorization, to perform the requested action on the requested object. 

However, when the mechanism fails or isn’t present at all, unauthorized users can steal, modify, or destroy data. 

BOLA is Common, and the Consequences are Severe 

BOLA vulnerabilities are staggeringly common.

In the Wallarm API ThreatStats Report for Q2 2025, we found that most API-related Known Exploited Vulnerabilities (KEVs) in Q2 2025 exploited BOLA vulnerabilities. Why? Because they’re:

• Easy to exploit, not requiring attackers to leverage complex tools or advanced exploits.
• Hard to detect because traditional scanners are challenged when detecting stateful vulnerabilities, like BOLA. 
• Able to bypass traditional defenses, like firewalls, WAFs, and even standard authentication. 

And, if exploited, BOLA vulnerabilities can have significant consequences. 

Just recently, a new dating app launched in Brazil had to shut down due to a BOLA vulnerability uncovered by researchers. The Sapphos dating app was launched in early September, but a BOLA vulnerability allowed unauthorized users to access other users’ data, including names, birthdates and ID verification selfies. After notifying the 17,000 users they had gained after launch of the breach, they shut down the app to focus on cybersecurity. 

How a BOLA Vulnerability Could Play Out 

Let’s take a high-level look at how an attacker might exploit a BOLA vulnerability.

APIs often expose endpoints that take an object identifier, like an ID, invoice number, or filename, and return the corresponding resource. When the server trusts that client-supplied ID without verifying whether the authenticated user is authorized to access that specific object, you have a BOLA. 

Attackers typically exploit BOLA vulnerabilities by:

• Searching for endpoints that accept object identifiers (such as in URLs, query strings, or JSON bodies). 
• Replacing the ID in a request with an ID belonging to a different object.
• Resending the request. 

If the server fetches and returns the object without checking ownership or permissions, the attacker gets someone else’s data or can act on their behalf. Consequences include:

• Data Leakage: Anything tied to an object ID is exposed. 
• Account Compromise: Changing or deleting another user’s objects can lead to partial or full account takeover. 
• Business Impact: Including fraud, regulatory fines, customer loss, or costly incident responses. 

As such, mitigating BOLA vulnerabilities is crucial to any organization’s overall security. But how, exactly, can you do that? 

Mitigating BOLA: Strong Authorization Checks 

Implementing strong authorization checks is the first and most important step in mitigating BOLA. 

That means:

• Enforcing Ownership Rules: For example, ensuring a user can only access /users/12345 if they are user12345. 
• Context-aware Checks: Making sure that authorization is tied to session, role, and object ownership, not just authentication. 
• Consistency Across Endpoints: Ensuring that every API endpoint that retrieves or modifies data applies the same access control logic. 

This is something only your backend logic can guarantee. No WAF or API firewall can build those rules automatically for you. They don’t know your backend rules. 

That said, even with strong authorization checks, mistakes can slip through. Developers might miss an endpoint, business logic might change and break consistency, or testing might not catch regressions. 

That’s why you need Wallarm. 

How Wallarm Detects and Prevents BOLA

Wallarm’s API Discovery capability identifies endpoints with variability that may be subject to BOLA attacks. In addition, Wallarm includes default mitigation controls to identify attempts to enumerate objects by attackers. While default controls are provided, users can create custom controls to adapt the BOLA protection to their specific APIs and applications. 

Wallarm doesn’t just detect BOLA attacks; it blocks them. Users can configure the BOLA mitigation controls to actively block individual API sessions and entire IP addresses in response to BOLA attacks. 

Raising Awareness, Bolstering Protection

Data loss. Account takeover. Business impact. 

BOLA vulnerabilities can bring organizations to their knees. 

Being aware of them is one thing. Protecting APIs from them is another.

Schedule a demo with Wallarm today to find out how we help protect your organization against the OWASP Top 10 for APIs vulnerabilities. 

The post API Attack Awareness: Broken Object Level Authorization (BOLA) – Why It Tops the OWASP API Top 10 appeared first on Wallarm.

*** This is a Security Bloggers Network syndicated blog from Wallarm authored by Tim Erlin. Read the original post at: https://lab.wallarm.com/api-attack-awareness-broken-object-level-authorization-bola-why-it-tops-the-owasp-api-top-10/