How I Automated BOLA Detection and Hardened My API — A DevSecOps Tutorial
If user A can see user B’s data by swapping an ID, your API is broken—and attackers know it. This "in-the-trenches" guide will teach you how to find and fix it before they do.

Hi, I’m Jesse Freeman, and today I’m bringing you an in-the-trenches guide to defending against Broken Object Level Authorization (BOLA) attacks. If you’re in AppSec or DevSecOps, you already know BOLA isn’t just the #1 OWASP API threat—it’s the silent killer in real-world breaches.
This post combines the lessons from my live hacking demo and my deeper dive into automating BOLA detection with APIsec. I’ll show you how to reproduce BOLA scenarios, how to automate detection in CI/CD, and how to shift your team’s mindset around what “authorization” really means.
🚨 What Is BOLA, Really?
Broken Object Level Authorization happens when attackers access or manipulate object IDs (like orderId, vehicleId, or customerId) to view or modify data they don’t own. It's not just about ID enumeration—it’s about authorization logic that’s missing, assumed, or bypassed entirely.
And here's the kicker: BOLA often hides behind excessive data exposure and poor assumptions around tokens. Just because a bearer token is present doesn’t mean it’s doing its job.
🧪 Reproducing BOLA with a Live API Example
In my demo, I used a test app (crAPI) where I had two users—BolaUser and GhostUser.
Steps:
- BolaUser owns a vehicle resource (/vehicle/location?id=abc123).
- I used APIsec to test whether GhostUser could access that same endpoint with the same ID.
- Result? GhostUser got a 200 OK. Boom—BOLA confirmed.
✅ Lesson: Authorization must always be contextual. If user A can see user B’s object by swapping IDs, your API is broken.
🧰 Automating BOLA Testing with APIsec
Now let’s talk automation—because testing for BOLA across 1,000+ parameters manually in Postman is not sustainable.
Here’s how I do it:
- Define a BOLA Scenario: I set up a resource (e.g., vehicle location) and specify ownership: only BolaUser should access it.
- Enable Continuous Testing: APIsec verifies on every scan that only the correct user gets a 200. Unauthorized users should get a 403/401.
- Scan with CI/CD: Integrate scans into your pipeline to catch BOLA regressions on every release.
🛠️ Pro Tip: You can break builds if BOLA vulnerabilities are detected, stopping risky code from hitting production.
🔬 Deep Dive: Peeling the Onion
In the second session, I talked about expanding your hacker mindset. BOLA isn’t always obvious. It’s not just about IDs in the path. Think:
- Nested Objects with authorization buried inside
- Excessive Data Exposure (EDE) leaking IDs that reduce enumeration time
- Header Surgery: removing or manipulating tokens to find what truly grants access
- API Layers: GraphQL variables, shadow endpoints, forgotten versions (/v1, /v2, /uat, etc.)
I walked through real bug bounty hunts using Burp Suite and taught folks how to build repeatable reconnaissance workflows that map all those layers.
🗂️ Build Your BOLA Playbook
Start documenting every suspicious parameter, header, or URL. I track this in OneNote using color-coded highlights:
- 🟧 Orange: ID in path
- 🟨 Yellow: Interesting GraphQL queries
- 🔵 Blue: Suspicious tokens or session headers
Every test I run—header mutations, body fuzzing, removing tokens—I document it as a repeatable tactic. Over time, this becomes your internal red team playbook.
🧠 Real-World BOLA: The CEO Account Takeover
In one real-world case shared by Corey Ball, an app didn’t rely on its bearer token. As long as the attacker supplied a valid userId + customerId in the headers, the app allowed access—token or not.
That’s how Corey used excessive data exposure to hijack a CEO’s account, gain SSO access, and demonstrate a full enterprise breach.
🎯 Takeaway: Authorization logic must be enforced server-side and not be bypassable by simple header manipulation.
🛡️ How to Prevent BOLA (Not Just Detect It)
- Enforce Ownership Checks
Every object request should verify object.ownerId === req.user.id. - Reject Unauthenticated Requests Early
Don’t just validate token format—validate presence and context before processing the payload. - Use UUIDs Instead of Sequential IDs
Makes guessing harder and enumeration less effective. - Automate Ownership-Based Testing
Use APIsec or similar tools to simulate multi-user roles and test every release. - Map Complex Object Structures
Don’t stop at top-level IDs. Inspect nested objects, document hierarchies, and test access to each one.
🔁 Bring BOLA Testing Into CI/CD
- Upload your OpenAPI/Swagger files or Postman Collections into APIsec.
- Set up tests with real user accounts and expected permissions.
- Trigger automated scans with every pull request.
- Break the build if unauthorized access is detected.
This isn’t optional for modern AppSec teams—it’s critical.
📚 Tools and Resources I Recommend
- ✅ APIsec Scanner for CI/CD automation
- 🧠 Hacking APIs by Corey Ball
- 📕 Black Hat GraphQL
- 🔍 Burp Suite Pro
🔁 Final Thoughts
BOLA isn’t just about broken endpoints—it’s about broken assumptions. The more creative your attacker, the more comprehensive your defenses must be.
If you’re in AppSec or DevSecOps, now’s the time to get serious about object-level authorization. Automate the boring parts. Think like a hacker. Document everything.
Let’s make APIs safer—one object at a time.
— Jesse
Latest Articles
Earn your APIsec University Certificate
Earn an APIsec University certificate and badge for completing any of our courses.
Post your badge on LinkedIn and share your accomplishments. You can even receive CPE credits for taking these courses.
