Skip to content

Access Control: Broken Object Level Authorization

Identifier: bola

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

Broken Object Level Authorization happens when an app lets users access objects by simply changing an identifier like a number or key without checking if they should really see that object. This might let an attacker look at or modify someone elses data. Developers often assume that passing an object reference is safe, and that weak security controls dont need to check if the requester owns that data. The danger is that if such basic checks are missing, critical information can be exposed or altered, leading to potential breaches or loss of trust in the application.

Configuration

Example

Example configuration:

---
security_tests:
  bola:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.