When I started API bug hunting, I thought the “real” bugs were things like auth bypass, token forgery, or crypto issues.
Turns out… most high-impact API bugs are much simpler.
They come down to one question:
“Should this user be able to see THIS data?”
That’s exactly why Broken Object Level Authorization (BOLA) sits at #1 in the OWASP API Top 10.
Not because it’s fancy — but because it works.
What BOLA actually means (without OWASP language)
In simple terms, BOLA happens when:
- You are authenticated (logged in)
- You request an object (user, invoice, report, order, etc.)
- The API does not check ownership
- You get data that belongs to someone else
Example:
GET /api/invoices/73921
Authorization: Bearer <your_token>
Now change the ID:
GET /api/invoices/73922
If you see another user’s invoice — that’s BOLA.
No hacking.
No bypassing login.
Just bad authorization.
Why APIs are especially vulnerable
APIs are built to move data, not protect screens.
Developers often assume:
- “Frontend already restricts this”
- “User ID comes from JWT, so it’s safe”
- “UUIDs can’t be guessed, so we’re fine”
But APIs don’t care about UI assumptions.
If the backend doesn’t explicitly verify:
- Does this object belong to this user or org?
Then the API will happily return data it shouldn’t.
Real-world BOLA examples (things you’ll actually find)
1. Viewing another user’s profile
GET /api/users/124
Response includes:
- Phone number
- KYC status
You’re user 123.
That’s horizontal BOLA → PII exposure.
2. Organization-level data leaks (high impact)
GET /api/orgs/982/reports
Change 982 to another org ID.
Now you can see:
- Revenue reports
- Internal metrics
- Employee details
This is where big bounties live.
3. UUIDs don’t save you
A lot of APIs use UUIDs and think they’re safe:
GET /api/files/8f2a9b2e-cc45-4c99-a61a
But then they expose another endpoint:
GET /api/files?user_id=124
Authorization is still missing.
UUIDs hide enumeration — they don’t enforce access control.
Why BOLA is #1 (and not XSS, SQLi, etc.)
Because BOLA:
- Works even with perfect authentication
- Exposes real user and business data
- Exists in almost every API-based product
- Is easy to miss during development
- Is easy to test as a bug hunter
Low effort, high impact.
That’s why OWASP ranks it #1:
👉 https://owasp.org/API-Security/editions/2023/en/0x11-t10/
How I personally look for BOLA bugs
This is my simple flow:
- Capture any authenticated request
- Look for object identifiers:
user_ididorg_id-
account_id- Change only the ID
- Compare responses field by field
- Test the same object via:
List endpoint
Detail endpoint
Export / report endpoint
One of them usually forgets authorization.
Mobile APIs deserve special attention 📱
Mobile APIs often return more data than web apps:
{
"email": "user@gmail.com",
"is_admin": false,
"risk_score": 82,
"internal_notes": "flagged"
}
The UI hides these fields.
The API doesn’t.
This often leads to:
- Excessive data exposure
- Combined with BOLA
- Which makes the bug even stronger
How to write a strong BOLA report
❌ Weak report:
“IDOR vulnerability found.”
✅ Strong report:
“An authenticated user can access invoices belonging to other users by modifying the invoice ID, exposing full billing details including name, address, and transaction history.”
Always connect:
Bug → Data → Business impact
Final takeaway for bug hunters
If you are learning API pentesting or bug bounty:
👉 Start with BOLA
👉 Test READ access before WRITE
👉 Never trust IDs, UUIDs, or frontend logic
Most real-world API breaches start here.
Useful references & real reports
OWASP API Top 10 – BOLA
https://owasp.org/API-Security/editions/2023/en/0x11-t10/HackerOne: IDOR & BOLA reports
https://hackerone.com/hacktivity?query=idor
https://hackerone.com/hacktivity?query=broken%20object%20level%20authorization
Top comments (0)