Broken Object Level Authorization (BOLA, née IDOR) is still #1 on the OWASP API Security Top 10 for a reason: it’s everywhere, it’s easy to miss in code review, and it maps cleanly to real impact. Here’s the workflow I actually use.

1. Map every object reference

Before touching auth, enumerate what the API exposes. Proxy the full app through your tool of choice and pull every path that carries an identifier:

# extract candidate object-ID params from a proxied history export
cat history.json \
  | jq -r '.requests[].url' \
  | grep -oE '/(users|orders|invoices|files|accounts)/[A-Za-z0-9_-]+' \
  | sort -u

Anything that looks like /{resource}/{id} is a candidate. Sequential integers are the classic tell, but UUIDs and hashids are not a control — they just raise the cost of enumeration.

2. Establish two identities

You need at least two accounts in the same role. Call them alice and bob. Capture a known-good request as Alice and note:

  • The object ID in the path/body.
  • Every auth-bearing header (Authorization, cookies, custom X-* tokens).

3. The swap test

Replay Alice’s request but substitute Bob’s object ID — keeping Alice’s credentials. Four outcomes:

ResponseMeaning
200 with Bob’s dataConfirmed BOLA.
403 / 404Access control is doing its job (or masking with 404).
200 emptyPossible filtering — dig deeper.
500Interesting. Malformed authz logic often crashes.

A 404 is not always safe — some APIs return 404 to hide objects you can actually reach via a sibling endpoint. Test every verb (GET/PUT/DELETE) and every representation.

4. Prove impact, don’t just assert it

A finding without impact gets downgraded. Chain it:

  • Read another tenant’s PII → confidentiality.
  • PUT to another user’s object → integrity + account takeover.
  • Mass-enumerate to build a dataset → scale turns a medium into a high.

5. Automate the boring part

Once you’ve proven one instance manually, script the sweep across every candidate endpoint from step 1. Keep a strict allow-list of in-scope hosts and honor the program’s rate limits — being right doesn’t excuse being loud.


BOLA is boring in the best way: methodical, high-yield, and rarely a false positive once you’ve done the swap test. Map, pair, swap, prove.