Hunting IDOR / BOLA in the Wild
contents
Broken Object Level Authorization (BOLA, née IDOR) is still #1 on the OWASP API Security Top 10 for a reason: it’s everywhere, it’s easy to miss in code review, and it maps cleanly to real impact. Here’s the workflow I actually use.
1. Map every object reference
Before touching auth, enumerate what the API exposes. Proxy the full app through your tool of choice and pull every path that carries an identifier:
# extract candidate object-ID params from a proxied history export
cat history.json \
| jq -r '.requests[].url' \
| grep -oE '/(users|orders|invoices|files|accounts)/[A-Za-z0-9_-]+' \
| sort -u
Anything that looks like /{resource}/{id} is a candidate. Sequential integers are the classic tell, but UUIDs and hashids are not a control — they just raise the cost of enumeration.
2. Establish two identities
You need at least two accounts in the same role. Call them alice and bob. Capture a known-good request as Alice and note:
- The object ID in the path/body.
- Every auth-bearing header (
Authorization, cookies, customX-*tokens).
3. The swap test
Replay Alice’s request but substitute Bob’s object ID — keeping Alice’s credentials. Four outcomes:
| Response | Meaning |
|---|---|
200 with Bob’s data | Confirmed BOLA. |
403 / 404 | Access control is doing its job (or masking with 404). |
200 empty | Possible filtering — dig deeper. |
500 | Interesting. Malformed authz logic often crashes. |
A
404is not always safe — some APIs return404to hide objects you can actually reach via a sibling endpoint. Test every verb (GET/PUT/DELETE) and every representation.
4. Prove impact, don’t just assert it
A finding without impact gets downgraded. Chain it:
- Read another tenant’s PII → confidentiality.
PUTto another user’s object → integrity + account takeover.- Mass-enumerate to build a dataset → scale turns a medium into a high.
5. Automate the boring part
Once you’ve proven one instance manually, script the sweep across every candidate endpoint from step 1. Keep a strict allow-list of in-scope hosts and honor the program’s rate limits — being right doesn’t excuse being loud.
BOLA is boring in the best way: methodical, high-yield, and rarely a false positive once you’ve done the swap test. Map, pair, swap, prove.