During a grey-box assessment of an organization's RESTful web service, the tester obtains a valid API key tied to account ID 164. The endpoint /api/v2/users/164 responds with that user's details, but no other authentication controls are observed. Which single request would best confirm a Broken Object Level Authorization (BOLA) weakness?
Add the header Host: 127.0.0.1 to the original GET request to attempt host-header injection.
Append the payload ?id=164 OR 1=1-- to the endpoint to test for SQL injection errors.
Issue a TRACE request to /api/v2/users/164 to check if the server echoes the header contents.
Send GET /api/v2/users/165 with the same API key and observe whether another user's data is returned.
BOLA occurs when an API authorizes access to an object only by verifying that the caller is authenticated, neglecting to check whether the caller is authorized to access that particular object. The quickest way to confirm the flaw is to change the object identifier in the URI while keeping all other parameters-including the legitimate API key-the same. If the server returns another user's data, authorization is clearly missing. TRACE requests, host-header tampering, or SQL injection payloads do not specifically validate object-level authorization and therefore would not directly prove a BOLA condition.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Broken Object Level Authorization (BOLA)?
Open an interactive chat with Bash
Why is modifying the object identifier in a URI effective for testing BOLA?
Open an interactive chat with Bash
What security measures can prevent BOLA vulnerabilities?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .