Skip to content
Iron Codex logoIRON-CODEXCYBERSECURITY
Cybersecurity › Application Security › API Security

Fine-Grained Authorization

Fine-Grained Authorization (BOLA Prevention)

OWASP API1:2023 Broken Object Level Authorization (BOLA/IDOR) is the #1 API vulnerability. It occurs when an application does not properly verify that the currently authenticated user has permission to access the specific object requested by an ID.

Vulnerable Scenario

User A requests /api/invoices/105 and gets their invoice. User A then alters the request to /api/invoices/106. If the server only checks if User A is logged in, but not if Invoice 106 belongs to User A, data is leaked.
Secure Pattern: Ownership Verification (Node.js)
app.get('/api/invoices/:id', async (req, res) => {
  const invoiceId = req.params.id;
  const currentUserId = req.auth.payload.sub;

  // Database query MUST include the user ID as a filter constraint
  const invoice = await db.invoices.findOne({
    where: { 
      id: invoiceId, 
      owner_id: currentUserId // Critical BOLA protection
    }
  });

  if (!invoice) return res.status(404).send('Not Found');
  res.json(invoice);
});

Alternatively, use unpredictable IDs (UUIDs v4) to prevent iteration attacks, though UUIDs do not replace the need for proper ownership authorization checks.