Glossary
BOLA (Broken Object Level Authorization)
The #1 flaw in the OWASP API Security Top 10, corresponding to insufficient access control at the object level. BOLA is the API version of IDOR: the attacker manipulates object identifiers in API requests to access other users' data. It is systematically tested during API security audits.
Why BOLA is the #1 API vulnerability
OWASP has ranked BOLA first in its API Security Top 10 since 2019, and our audits confirm it: it is the most common vulnerability in SaaS REST and GraphQL APIs. The cause is structural — modern frameworks make CRUD endpoints trivial to generate, but object-level authorization remains the developer's job. A global authentication middleware creates a false sense of security: the user is identified, but nothing verifies the requested object belongs to them.
The multi-tenant HR SaaS case
In a multi-tenant HR SaaS, BOLA takes on a special dimension: it can break isolation between client companies. An HR account from company A reading company B's performance reviews, salaries, or applications is exactly the scenario a prospect will test — or a client will discover — before filling in your security questionnaire. The endpoints most affected in our audits: document downloads, CSV exports, sync webhooks, and the 'internal' API routes used by the frontend.
How CleanIssue tests for BOLA
We create test accounts in separate tenants, then replay every request across contexts: crossed identifiers, swapped tokens, modified tenant parameters. Each unauthorized access is documented with the exact request and the data actually exposed, ranked by business impact. The fix is almost always a systematic ownership check in the data access layer — not in the frontend.
Frequently asked questions
Are BOLA and IDOR the same thing?
Essentially yes. BOLA is the OWASP API Security terminology, IDOR the historical web term. Both describe missing object-level authorization. BOLA emphasizes the API context, where the problem is most systematic.
How do you prevent BOLA in a REST API?
Every handler must verify the requested object belongs to the user's scope (account, tenant, role) before any read or write. Centralized access policies — database-level RLS, service-layer policies — are more reliable than checks scattered across controllers.
Can an automated scanner detect BOLA?
Rarely. A scanner doesn't know which resources should be accessible to which user: you need an understanding of the business model and multiple test accounts. That is precisely what a manual, real-world audit adds over an automated scan.