Your UI is Not Part of Security: The Reality of BOLA

When building applications, it’s tempting to assume that security lives in the user interface (UI). After all, the UI dictates what the end user can see and do.

But here’s the truth: attackers rarely care about your UI. They go straight to your APIs.

And when your APIs don’t enforce authorization properly, you’re facing one of the most common and dangerous vulnerabilities in the OWASP top 10 today: BOLA (Broken Object Level Authorization).

🔎 What is BOLA?
BOLA happens when backend systems fail to validate whether a user is authorized to access a specific object.

Example:

✅ Normal behavior (legitimate user request):

GET /api/users/123

❌ Attacker tweaks the request:

GET /api/users/124

If the backend doesn’t enforce authorization, the attacker can now access another user’s data.

The scary part? This doesn’t require advanced tools. A proxy like Burp Suite or even curl is enough.

🚫 Why the UI is Less Irrelevant to Security
Many developers think:

“The UI only shows data the user should see.”

“There’s no button for that, so it can’t happen.”

But here’s the problem: 👉 The UI is just a client of your API.

Attackers skip the UI entirely and target endpoints directly. If your backend doesn’t enforce proper checks, it doesn’t matter what the UI does.

💥 The Business Impact of BOLA
BOLA is more than a coding oversight — it’s been behind major real-world breaches.

The risks include:

Exposure of sensitive personal or financial data
Unauthorized transactions or account takeovers
Compliance violations (GDPR, HIPAA, PCI DSS)
Loss of customer trust and reputational damage

Because BOLA attacks are so straightforward, they’re often the first thing pentesters and attackers try and you can defend against them by doing the following: