WRITE‑UP
BOLA patterns in modern APIs
Common failure modes, high-signal tests, and pragmatic fixes.
What is BOLA?
Broken Object Level Authorization happens when the API checks authentication, but not ownership/authorization for a specific object.
High-signal tests
- Swap object IDs across users/tenants while keeping the same token.
- Try “read” endpoints and “export/download” endpoints (often overlooked).
- Check indirect references (orderId → invoiceId → fileId).
Fixes that stick
- Centralize authorization at the service layer (deny-by-default).
- Enforce resource-level policies (RBAC/ABAC) and test them.
- Add audit logging + alerts for enumeration patterns.