SET D · Core

OWASP API1 — Broken Object Level Authorization (BOLA)

Name: CAVerse Day Pass
Brand: CAVerse
Price: 9 INR
Availability: InStock

Most prevalent API risk. Attacker manipulates object IDs to access data they shouldn't.

Memory aid

Don't trust the ID in the URL. Always re-check ownership server-side.

⚠ Most common mistake

Treating front-end filtering as authorization.

Go deeper

Need more than a one-liner? Pick a view — first time generates with AI, after that it’s instant for everyone.