OWASP_API_TOP10API1:2023voice-validated
OWASP_API_TOP10 API01: API1:2023
OWASP_API_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface for Object Level Access Control issues. Object-level authorisation checks should be considered in every function that accesses a data source using an ID from the user. BOLA is the most common API vulnerability.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1592 | 0.8 confidence. Attackers gather victim identity information by enumerating object IDs to test for Broken Object Level Authorization (BOLA) vulnerabilities. | 80% |
| T1595.002 | 0.7 confidence. Active scanning, specifically vulnerability scanning, identifies API endpoints and object ID patterns susceptible to BOLA exploitation. | 70% |
| T1005 | 0.9 confidence. Exploiting BOLA allows attackers to collect data from local systems by accessing unauthorized data objects directly. | 90% |
| T1119 | 0.8 confidence. Automated collection scripts are used to systematically access and collect multiple unauthorized objects after a BOLA vulnerability is identified. | 80% |
| T1041 | 0.8 confidence. Collected unauthorized data is exfiltrated over command and control channels, sending sensitive object data to attacker-controlled infrastructure. | 80% |
| T1567 | 0.9 confidence. Data exfiltration occurs over web services, directly leveraging the compromised API endpoint to transfer unauthorized object data. | 90% |
| T1485 | 0.8 confidence. Attackers can destroy data by deleting unauthorized objects through a BOLA vulnerability, leading to data loss. | 80% |
| T1490 | 0.7 confidence. Inhibit system recovery by deleting critical data objects or configurations accessible via BOLA, hindering restoration efforts. | 70% |
| T1133 | 0.7 confidence. External remote services are accessed using valid credentials, which are then used to exploit BOLA for unauthorized object access. | 70% |
| T1136.001 | 0.7 confidence. BOLA can enable attackers to create new accounts or modify existing ones with elevated privileges, establishing persistence. | 70% |
| T1078.004 | 0.9 confidence. Valid accounts with low privileges are used to bypass object-level authorization checks, accessing data they should not. | 90% |
| T1068 | 0.9 confidence. Exploitation for privilege escalation occurs when BOLA allows a low-privileged user to access or manipulate objects belonging to higher-privileged users. | 90% |
| T1530 | 0.7 confidence. If the API interacts with cloud storage, BOLA can allow access to unauthorized data objects stored in the cloud. | 70% |
| T1552.001 | 0.7 confidence. BOLA can expose unsecured credentials if the API allows unauthorized access to objects containing sensitive authentication information. | 70% |
| T1083 | 0.8 confidence. File and directory discovery is performed by manipulating object IDs to uncover unauthorized files or directories via the API. | 80% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1030 | 0.8 confidence. Network segmentation isolates API components, limiting the scope of unauthorized access if BOLA is exploited. | 80% |
| M1035 | 0.9 confidence. Limiting access to resources over the network restricts who can interact with the API, reducing the attack surface for BOLA. | 90% |
| M1038 | 1.0 confidence. User account management ensures proper authorization roles are defined and enforced at the object level, preventing BOLA. | 100% |
| M1047 | 0.9 confidence. Auditing and logging detect and record unauthorized access attempts to objects, aiding in the identification of BOLA exploits. | 90% |
| M1028 | 0.8 confidence. Operating system configuration secures the underlying infrastructure hosting the API, adding a layer of defense against BOLA. | 80% |
| M1036 | 0.9 confidence. Account use policies enforce strong authentication and authorization, directly addressing the root cause of BOLA vulnerabilities. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-285 | 1.0 confidence. Improper Authorization is the core weakness of BOLA, where the API fails to adequately verify user permissions for requested objects. | 100% |
| CWE-639 | 1.0 confidence. Authorization Bypass Through User-Controlled Key directly describes BOLA, where attackers manipulate object IDs to gain unauthorized access. | 100% |
| CWE-863 | 0.9 confidence. Incorrect Authorization indicates that authorization logic is present but flawed, allowing bypasses like BOLA. | 90% |
| CWE-862 | 0.9 confidence. Missing Authorization occurs when no authorization check is performed on an object, making it vulnerable to BOLA. | 90% |
| CWE-200 | 0.9 confidence. Exposure of Sensitive Information to an Unauthorized Actor is a common consequence of BOLA, leading to data breaches. | 90% |
| CWE-276 | 0.8 confidence. Incorrect Default Permissions can lead to BOLA if newly created objects inherit overly permissive access controls. | 80% |
| CWE-732 | 0.8 confidence. Incorrect Permission Assignment for Critical Resource means critical objects have misconfigured permissions, making them vulnerable to BOLA. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0179 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation