Home GuidesBOLA / Broken Object Level Authorization Testing Guide

BOLA / Broken Object Level Authorization Testing Guide

Learn how to test for BOLA (Broken Object Level Authorization) — API #1 on the OWASP API Security Top 10 — by manipulating object identifiers across user contexts to access data you should not see.

Intermediate

6 steps18 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Map API endpoints that take object identifiers

Catalog every API route that references an object by ID — in the path, query string, body, or headers. These are your BOLA candidates. Note the ID format (sequential int, UUID, hash, encoded).

Example payloads

GET /api/v1/users/{id}/profile

GET /api/orders?orderId=1001

POST /api/documents {"docId": "..."}

GET /api/account/{uuid}/statements

Create two accounts and capture both contexts

Register or obtain two separate low-privilege accounts (victim A and attacker B). Capture B's session token and note A's object IDs. The test is whether B can act on A's objects.

Example payloads

Account A objects: user_id=1001, order_id=5001

Account B token: Authorization: Bearer <B-token>

Use the Session Comparator to diff A vs B responses side by side.

Swap object IDs across sessions

Send requests authenticated as B but referencing A's object IDs. If B receives A's data (or can modify it), authorization is broken. Test reads first, then writes/deletes.

Example payloads

GET /api/v1/users/1001/profile   (as B, 1001 = A)

PUT /api/orders/5001  {"address": "attacker"}   (as B)

DELETE /api/documents/A-doc-id   (as B)

Try alternate methods and ID encodings

Authorization is sometimes enforced on GET but not on PUT/PATCH/DELETE, or only on one ID format. Test HTTP method swaps, and decode/re-encode IDs (base64, hex) that wrap a guessable value.

Example payloads

GET blocked? Try POST/PUT/PATCH/DELETE on the same object.

Decode base64 id "MTAwMQ==" -> 1001, then increment.

Wrapped JSON: {"id": 1001} vs {"id": "1001"} vs {"id": [1001]}

Test mass-assignment and nested object references

BOLA often hides in nested or batch endpoints. Add foreign object IDs to request bodies, GraphQL queries, or bulk operations where the server trusts client-supplied references.

Example payloads

{"order": {"id": 5001, "userId": 1001}}  (inject victim userId)

GraphQL: { order(id: 5001) { items owner { email } } }

POST /api/batch [{"id":5001},{"id":5002}]  (mixed owners)

Confirm impact and document

Demonstrate unauthorized read or modification of another user's object with a clean request/response pair. Recommend server-side authorization checks that bind every object to the authenticated principal, not client input.

Example payloads

Document: endpoint, victim object id, attacker session, data exposed/modified.

Fix: enforce object-level ownership checks server-side on every request and method.

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Map API endpoints that take object identifiers

Catalog every API route that references an object by ID — in the path, query string, body, or headers. These are your BOLA candidates. Note the ID format (sequential int, UUID, hash, encoded).

Example payloads

GET /api/v1/users/{id}/profile

GET /api/orders?orderId=1001

POST /api/documents {"docId": "..."}

GET /api/account/{uuid}/statements

Create two accounts and capture both contexts

Register or obtain two separate low-privilege accounts (victim A and attacker B). Capture B's session token and note A's object IDs. The test is whether B can act on A's objects.

Example payloads

Account A objects: user_id=1001, order_id=5001

Account B token: Authorization: Bearer <B-token>

Use the Session Comparator to diff A vs B responses side by side.

Swap object IDs across sessions

Send requests authenticated as B but referencing A's object IDs. If B receives A's data (or can modify it), authorization is broken. Test reads first, then writes/deletes.

Example payloads

GET /api/v1/users/1001/profile   (as B, 1001 = A)

PUT /api/orders/5001  {"address": "attacker"}   (as B)

DELETE /api/documents/A-doc-id   (as B)

Try alternate methods and ID encodings

Authorization is sometimes enforced on GET but not on PUT/PATCH/DELETE, or only on one ID format. Test HTTP method swaps, and decode/re-encode IDs (base64, hex) that wrap a guessable value.

Example payloads

GET blocked? Try POST/PUT/PATCH/DELETE on the same object.

Decode base64 id "MTAwMQ==" -> 1001, then increment.

Wrapped JSON: {"id": 1001} vs {"id": "1001"} vs {"id": [1001]}

Test mass-assignment and nested object references

BOLA often hides in nested or batch endpoints. Add foreign object IDs to request bodies, GraphQL queries, or bulk operations where the server trusts client-supplied references.

Example payloads

{"order": {"id": 5001, "userId": 1001}}  (inject victim userId)

GraphQL: { order(id: 5001) { items owner { email } } }

POST /api/batch [{"id":5001},{"id":5002}]  (mixed owners)

Confirm impact and document

Example payloads

Document: endpoint, victim object id, attacker session, data exposed/modified.

Fix: enforce object-level ownership checks server-side on every request and method.