What is BOLA (Broken Object-Level Authorization)?

A vulnerability where an API exposes an object by its identifier without verifying that the requesting user is authorized to access that specific object.

Full explanation

BOLA is the #1 item on the OWASP API Security Top 10. Any API route that accepts an object ID (invoice ID, user ID, order ID, document ID) and returns that object without checking ownership is BOLA-vulnerable. The attacker substitutes the ID in the URL and reads someone else's data. AI coding tools introduce this pattern by default because the obvious implementation — look up the object by ID, return it — is missing the ownership check.

Example

GET /api/orders/42 — if the handler queries `orders where id = 42` without also checking `where user_id = current_user.id`, any authenticated user can substitute 42 with someone else's order ID.

Related

Guide
Broken Object-Level Authorization (BOLA) in Next.js apps
Guide
Supabase RLS misconfiguration — detect, exploit, and fix

FAQ

Is BOLA the same as IDOR?

Yes. IDOR (Insecure Direct Object Reference) is the older web-era name. BOLA is the modern API-era name in OWASP API Top 10. Same class of bug.

Do UUIDs prevent BOLA?

No. UUIDs make enumeration harder but do nothing once the attacker obtains a valid ID through any other channel (shared link, referrer leak, another API endpoint).