1What is BOLA (Broken Object Level Authorization) in API security?
Vetora๐ก๏ธSecurity
API Security & Threat Modeling
API security encompasses authentication, input validation, rate limiting, and protection against the OWASP API Top 10 threats. Threat modeling systematically identifies what can go wrong, who would attack, and what the impact would be, guiding security investments to the highest-risk areas.
Overview
APIs are the attack surface of modern systems. Unlike traditional web applications where the server controlled the UI and data flow, APIs expose raw data and operations to any client -- mobile apps, SPAs, third-party integrations, and attackers using curl. The OWASP API Security Top 10 (2023 edition) catalogs the most critical risks: Broken Object Level Authorization (BOLA), Broken Authentication, Broken Object Property Level Authorization, Unrestricted Resource Consumption, Broken Function Level Authorization, Unrestricted Access to Sensitive Business Flows, Server-Side Request Forgery (SSRF), Security Misconfiguration, Improper Inventory Management, and Unsafe Consumption of APIs.
The most common API vulnerability is Broken Object Level Authorization (BOLA, also known as IDOR -- Insecure Direct Object Reference). An API that returns /api/orders/123 checks authentication (is the caller logged in?) but not authorization (does the caller own order 123?). An attacker changes the ID to 124, 125, 126 and retrieves other users' orders. BOLA is trivial to exploit and devastatingly common because authorization checks require per-resource logic that is easy to forget.
Threat modeling is the practice of systematically identifying what can go wrong before it happens. The STRIDE framework classifies threats into six categories: Spoofing (impersonating a user or service), Tampering (modifying data in transit or at rest), Repudiation (denying an action without proof), Information Disclosure (exposing sensitive data), Denial of Service (overwhelming a system), and Elevation of Privilege (gaining unauthorized access). For each API endpoint, you enumerate applicable STRIDE threats and design mitigations.
Input validation is the first line of defense. Every API endpoint must validate: type (is this field a string, number, enum?), length (is this string under 10,000 characters?), format (is this a valid email, UUID, date?), range (is this quantity between 1 and 1000?), and business rules (is this product ID in the catalog?). Validation should happen at the API boundary (before business logic) and produce clear error messages. Never trust client-side validation -- it can be bypassed.
Defense-in-depth combines multiple security layers: TLS for confidentiality, authentication for identity, authorization for permissions, input validation for data integrity, rate limiting for availability, and logging for auditability. No single layer is sufficient -- each catches threats that others miss.
Key Points
- 1BOLA (Broken Object Level Authorization) is the #1 API vulnerability. Always check: does this user have permission to access this specific resource? Authentication alone is not enough -- you must authorize per object.
- 2STRIDE threat modeling: systematically categorize threats (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege) for each API boundary. This prevents ad-hoc security that misses entire threat classes.
- 3Validate all input at the API boundary. Check type, length, format, range, and business rules. Use schema validation (JSON Schema, Pydantic, Zod) to enforce contracts. Reject invalid input before it reaches business logic.
- 4Rate limit by user, IP, and endpoint. Global rate limits prevent DDoS; per-user limits prevent abuse; per-endpoint limits protect expensive operations (login, search, export) from resource exhaustion.
- 5Never expose internal IDs, stack traces, or database schemas in API responses. Use UUIDs instead of sequential IDs. Return generic error messages to clients; log detailed errors server-side.
- 6API inventory management: know every API endpoint, its authentication requirements, and its data sensitivity. Shadow APIs (undocumented, forgotten endpoints) are a top attack vector.
Simple Example
BOLA Attack on an Orders API
An e-commerce API has GET /api/orders/{id}. The endpoint checks the JWT (authentication) but returns any order by ID without checking if the caller owns it (missing authorization). Alice, logged in as user_123, calls GET /api/orders/456 and receives Bob's order details (address, items, payment method). Alice iterates IDs from 1 to 100,000 and scrapes the entire order database. Fix: the endpoint must check order.user_id == jwt.sub before returning data.
Real-World Examples
Parler (2021 Breach)
Social network Parler had a BOLA vulnerability where user posts were accessible by sequential numeric IDs without authorization. Researchers enumerated all 99+ million posts (including deleted ones) by incrementing the ID in the API URL. GPS coordinates embedded in photos revealed users' home locations. The breach demonstrated the catastrophic impact of sequential IDs without authorization checks.
Microsoft (SDL)
Microsoft's Security Development Lifecycle (SDL) requires threat modeling for every feature before implementation. Teams use the STRIDE methodology with data flow diagrams to identify threats at every trust boundary. The SDL has been credited with significantly reducing vulnerabilities in Microsoft products since its introduction in 2004.
Stripe
Stripe's API security includes idempotency keys (prevent duplicate charges), request signing (HMAC for webhooks), per-key rate limiting, and detailed audit logs. Their threat model explicitly addresses financial fraud: double-charging, refund abuse, and unauthorized access to payment methods. Every API change undergoes security review against the OWASP API Top 10.
Trade-Offs
| Aspect | Description |
|---|---|
| Strict Validation vs. Backward Compatibility | Strict input validation rejects malformed data early but can break existing clients that send unexpected fields or formats. Lenient validation (Postel's Law: be liberal in what you accept) is more compatible but increases attack surface. Use strict validation for new APIs; add a deprecation period for tightening existing ones. |
| Detailed Errors vs. Information Disclosure | Detailed error messages help developers debug ('field email is not a valid RFC 5322 address') but also help attackers understand your validation logic. Return specific errors in development; return generic errors in production with correlation IDs for server-side investigation. |
| Rate Limiting Strictness vs. Legitimate Use | Tight rate limits (10 req/min for login) prevent brute-force but may lock out legitimate users with typos. Adaptive rate limiting (increase limits for verified users, decrease for suspicious patterns) balances security and usability. |
| Threat Modeling Depth vs. Delivery Speed | Full STRIDE analysis for every API endpoint is thorough but time-consuming. Lightweight threat modeling (10-minute session focusing on the top 3 risks) covers 80% of threats in 20% of the time. Reserve deep analysis for high-risk endpoints (authentication, payments, data export). |
Case Study
T-Mobile API Breach: 37 Million Records via Unsecured API
Scenario
In January 2023, T-Mobile disclosed that an attacker accessed personal data for 37 million customers through an unsecured API. The API allowed querying customer records without proper authorization checks, and the attacker exploited it from November 2022 to January 2023 -- over two months of undetected access.
Solution
T-Mobile implemented API-level authorization checks, enhanced monitoring for unusual API access patterns (volume, time-of-day, sequential enumeration), added per-API-key rate limiting, and deployed an API gateway with real-time anomaly detection. They also commissioned a third-party security audit of all customer-facing APIs against the OWASP API Security Top 10.
Outcome
The breach affected 37 million customers and cost T-Mobile hundreds of millions in remediation, legal fees, and settlements (on top of previous breaches in 2021 and 2022). The incident highlighted the critical importance of API authorization (not just authentication), API inventory management (knowing every endpoint), and anomaly detection (two months of extraction went unnoticed). Regulators and the FCC imposed additional security requirements.
Common Mistakes
- โ Checking authentication but not authorization. A valid JWT proves identity but does not prove the caller has access to the requested resource. Every endpoint that returns user-specific data must check: does this user own/have access to this specific resource? BOLA is the #1 API vulnerability precisely because this check is forgotten.
- โ Using sequential integer IDs in API URLs. GET /api/users/1, /api/users/2, /api/users/3 lets attackers enumerate all users trivially. Use UUIDs or cryptographic identifiers that cannot be guessed or enumerated.
- โ Not rate limiting authenticated endpoints. Rate limiting login endpoints is common, but authenticated endpoints (search, export, bulk operations) are often unprotected. An authenticated attacker can exhaust resources or scrape data without rate limits.
- โ Trusting client-sent data for authorization decisions. An API that accepts {"role": "admin"} in the request body and grants admin access is trivially exploitable. Authorization decisions must be based on server-side data (database role lookups, policy engine), never on client-supplied claims.
Related Concepts
See API Security & Threat Modeling in action
Explore system design templates that use api security & threat modeling and run traffic simulations to see how these concepts perform under real load.
Browse TemplatesSimulate rate limiting and WAF under DDoS traffic patterns
Metrics to watch
blocked_request_pctfalse_positive_ratelegitimate_throughput_rpsp99_latency_ms
Test Your Understanding
2In the STRIDE threat model, what does the 'I' stand for?