API1:2023 — Broken Object Level Authorization

Q: What is Broken Object Level Authorization (BOLA)?

API1:2023 occurs when APIs don't verify user permissions for specific objects. Attackers change resource IDs in API calls to access other users' data — the #1 API security risk.

Verified by Precogs Threat Research

OWASP API 2023Rank #1

What is Broken Object Level Authorization (BOLA)?

APIs exposing endpoints that handle object identifiers without verifying the requesting user has permission to access the specific object. Attackers substitute IDs in API calls to access other users' data.

Impact

The #1 API risk. Affects nearly every API. Enables mass data exfiltration by iterating through predictable IDs (IDOR — Insecure Direct Object Reference).

How Precogs AI Addresses API1

Precogs AI detects missing object-level authorization in API code, identifying endpoints where user identity is not verified against resource ownership.

Scan for API1 Risks

Related CWEs

CWE-284 ↗
CWE-285 ↗
CWE-639 ↗

API1:2023 — Broken Object Level Authorization

What is Broken Object Level Authorization (BOLA)?

Impact

How Precogs AI Addresses API1

Related CWEs

Risk Overview

Quick Links

Protect Against API1

What is Broken Object Level Authorization (BOLA)?

Impact

How Precogs AI Addresses API1

Related CWEs

Related Resources

🛡️ Notable Vulnerabilities

🔗 External References

Risk Overview

Quick Links

Protect Against API1