Post cover image

June 21, 2026

BOLA โ€” The API Version of IDOR

Hey friends! Nitin here ๐Ÿ‘‹

Nitin yadav

2 min read

Remember IDOR from recent post? BOLA is basically IDOR's big brother in the API world. It's officially the #1 API vulnerability, and it pays consistently. If you got IDOR, you're 90% of the way to getting BOLA.

BOLA In Plain English

BOLA = Broken Object Level Authorization. Long name. Simple idea:

The API lets you access objects (data) that belong to other people, because it never checks if you own them.

You ask the API for "order 5000." The API goes "sure!" and hands it over โ€” without ever checking whether order 5000 is actually YOURS. That's BOLA. Same heart as IDOR, just specifically in API calls.

What It Looks Like

You're using an app. In Burp you see it makes this API call:

GET /api/v2/accounts/8842/transactions

That 8842 is your account. So you change it:

GET /api/v2/accounts/8843/transactions

If you get back someone ELSE's transactions โ€” BOLA confirmed. And on a fintech or banking target, that's a massive, high-paying bug. One researcher I read about earned $12,500 from a BOLA-style issue on a financial API. ๐Ÿ’ฐ

Why APIs Are So Prone To This

The front-end website often has good checks. But developers assume the API "is internal" or "only the app talks to it," so they skip the ownership check. Except YOU can talk to the API directly with Burp. That false sense of safety is exactly the bug.

None

How To Hunt It (The Reliable Method)

  1. Make two accounts โ€” A and B (you know this drill by now ๐Ÿ˜„)
  2. As account A, capture API calls that reference YOUR objects (IDs, account numbers, file refs)
  3. Note account B's object IDs
  4. Now, logged in as A, replace your ID with B's ID in the request
  5. If you get B's data back โ†’ BOLA โœ…
  6. Bonus: try with NO auth token at all โ€” sometimes it still works (even worse!)

Don't Forget The Non-Obvious IDs

Not every ID is a simple number. Look for:

  • UUIDs (long random-looking strings) โ€” still test them; sometimes they leak elsewhere
  • Encoded IDs (base64) โ€” decode, change, re-encode
  • IDs hidden in headers or JSON bodies, not just the URL

My Honest Tip

When IDs look "unguessable" (like UUIDs), don't give up โ€” go find where they LEAK. Other API responses, public profiles, referral links often hand you other users' IDs for free. Then you feed those into the vulnerable endpoint. Chaining a small leak into a BOLA is chef's kiss. ๐Ÿ‘จโ€๐Ÿณ

Next post: JWT attacks โ€” breaking the tokens that keep you logged in.

Keep swapping those IDs! ๐Ÿ”„