AuthZ Lab — IDOR / BOLA

Broken Object Level Authorization is the #1 entry on the OWASP API Security Top 10 and has been the root cause of more bug-bounty payouts than any other class. The bug is almost always the same: the endpoint trusts the ID in the URL. This lab makes that bug click in 30 seconds.

API #1OWASP API Security Top 10 ranks BOLA first by impact.

1 lineis the difference between a hardened query and the bug: AND owner_id = ?.

404 not 403Returning 403 for cross-owner access leaks existence — let it 404.

Three things in this lab

Simulator

Switch between Alice, Bob, and an admin. Try to read order IDs that belong to other users. The naive endpoint hands them over; the hardened endpoint returns the same 404 it returns for IDs that don't exist. Watch the difference live.

Open simulator →

Patterns

Eight detection rules (BOLA01–BOLA08) covering the patterns I look for in code reviews and Burp traces: missing owner scope, 403-vs-404 leakage, sequential IDs, mass-assignment on update, client-supplied admin flags, GraphQL resolver gaps.

See patterns →

Where this fits

BOLA is the AuthZ failure that survives a perfect AuthN deployment. Even with passkeys (Identity Lab) and a strict CSP (CSP Playground), a single brokenWHERE clause leaks customer data.

Try the attack →

Why this lab matters

AuthZ bugs are different from AuthN bugs in one crucial way: the user is correctly authenticated when the breach happens. Every log line says "valid session, valid token, 200 OK". The request looks legitimate to every monitoring tool you have. The only signal is at the data layer — and most teams don't instrument that layer for ownership-mismatch alerts.

I include some version of this in almost every API audit. Run the simulator first; the patterns page makes much more sense once you've felt the bug.