BOLA: The API Security Flaw Topping OWASP 2023 and How One SaaS Dev Fixed It
A developer running a security audit on his growing multi-tenant SaaS platform discovered a critical vulnerability called BOLA (Broken Object Level Authorization), flagged at the highest severity level. BOLA, ranked number one on OWASP's 2023 API security list, occurs when an API fails to verify whether the logged-in user actually owns the object they are requesting by ID. The flaw is notably easy to exploit — attackers simply swap an object ID in a request URL, query string, header, or body to access data belonging to other users. Real-world examples cited by OWASP include unauthorized access to thousands of online store revenue records and remote control of vehicles not owned by the attacker. The developer used the findings as a starting point to understand and remediate the vulnerability across his platform, distinguishing BOLA from the related but distinct BFLA (Broken Function Level Authorization) flaw in the process.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.


Discussion (0)
Log in to join the discussion and vote.
Log in