When learning API penetration testing, one of the most dangerous vulnerabilities you will encounter is Vertical BOLA.
It is responsible for many critical bug bounty reports and real-world data breaches.
In this article, we will break down what Vertical BOLA is, why it happens, and how security researchers can test for it.
What is Vertical BOLA?
Vertical BOLA happens when a normal user is able to access functionality or data that should only be available to higher-privileged roles such as administrators.
In simple terms:
A user is authenticated, but the API does not properly verify whether that user should be allowed to perform a privileged action.
This leads to privilege escalation.
Horizontal vs Vertical BOLA
Understanding the difference is important.
Horizontal BOLA
User accesses another user's data.
Example:
GET /api/users/102
User 101 changes the ID to 102 and accesses another user's profile.
Vertical BOLA
User accesses admin-level functionality.
Example:
GET /api/admin/users
If a normal user token can access this endpoint, it is a Vertical BOLA vulnerability.
Why Vertical BOLA Happens
Most developers correctly implement authentication, but forget to enforce authorization checks.
Common mistakes include:
- Only checking if the user is logged in
- Trusting frontend restrictions
- Missing role validation in backend APIs
- Reusing internal admin endpoints for public APIs
- Incorrect middleware configuration
Because APIs are often used by web, mobile, and internal tools, some endpoints accidentally become exposed.
Real-World Example
Imagine a normal user sends this request:
GET /api/admin/users
Authorization: Bearer user_token
Response:
[
{
"id": 1,
"email": "admin@company.com",
"role": "admin"
}
]
This means the API failed to verify that the user is not an administrator.
This is a critical vulnerability.
Common Vertical BOLA Patterns
Security researchers often find Vertical BOLA in the following areas.
1. Admin Endpoints
Look for endpoints like:
/api/admin/users
/api/admin/settings
/api/admin/reports
If they work with a normal user token, there is a problem.
2. Role Manipulation in Requests
Sometimes APIs trust user input.
Example request:
{
"role": "admin"
}
If the backend accepts this, the attacker may gain admin privileges.
3. Organization-Level Access
Many SaaS platforms separate customers by organization or tenant.
Example:
GET /api/org/1234/users
If a user from organization 5678 can access 1234, this becomes a serious data breach.
4. Export and Reporting APIs
Admin dashboards often include powerful endpoints:
GET /api/export/users
GET /api/export/transactions
GET /api/export/reports
These endpoints sometimes lack proper role checks.
How to Test for Vertical BOLA
A simple testing workflow:
- Create a normal user account
- Intercept requests using a proxy
- Look for:
- Admin routes in JavaScript files
- Hidden API endpoints
- Internal APIs used by dashboards
- Replay these requests using the normal user token
- Observe responses for unauthorized data access
Always compare:
- Status codes
- Response data
- Accessible actions
Potential Impact
Vertical BOLA can lead to:
- Viewing all users' personal information
- Changing user roles
- Accessing financial reports
- Deleting accounts
- Resetting passwords
- Full system compromise
In bug bounty programs, this is usually classified as Critical severity.
Why APIs Are Especially Vulnerable
APIs expose direct backend functionality, which means:
- Frontend restrictions can be bypassed
- Attackers interact directly with backend logic
- Authorization checks must be implemented on every endpoint
Even one missing check can expose the entire system.
How Developers Can Prevent Vertical BOLA
Secure APIs should always:
- Enforce role-based access control (RBAC) on the server
- Validate permissions for every request
- Avoid trusting client-supplied roles
- Use centralized authorization middleware
- Perform object-level permission checks
Security should never depend on frontend controls.
Top comments (0)