Testing API for Broken Object Level Authorization

When to Use

• Assessing REST or GraphQL APIs that use object identifiers in URL paths, query parameters, or request bodies
• Performing OWASP API Security Top 10 assessments where API1:2023 (BOLA) must be tested
• Testing multi-tenant SaaS applications where users from different tenants should not access each other's data
• Validating that API endpoints enforce per-object authorization checks beyond just authentication
• Evaluating APIs after new endpoints are added to ensure authorization middleware is applied consistently

Do not use without written authorization from the API owner. BOLA testing involves accessing or attempting to access other users' data, which requires explicit permission.

Prerequisites

• Written authorization specifying the target API endpoints and scope of testing
• At least two test accounts with different privilege levels and distinct data sets
• Burp Suite Professional or OWASP ZAP configured as an intercepting proxy
• Authentication tokens (JWT, session cookies, API keys) for each test account
• API documentation (OpenAPI/Swagger spec) or access to enumerate endpoints
• Python 3.10+ with requests library for scripted testing