In this episode, we cover how attackers exploit broken object-level authorization (BOLA) flaws to manipulate API requests and alter object identifiers to obtain access to data or functionality for which they’re unauthorized. This issue is #1 on the OWASP API Security Top 10, and potential impacts include privilege escalation, data exposure, privacy erosion, and account compromise.
To learn more about this attack vector, check out this Salt Labs threat research blog.
About the Anatomy of an API Attack video series
The goal is to provide a deeper understanding of attacker techniques so that you’re better equipped to protect your APIs and build an API security strategy. Organizations increasingly rely on APIs to power their business and provide access to valuable data. Attackers know this and are constantly looking for API flaws to exploit with tools, motivation, and time on their side.