← LibraryTechnique entry
W-BOLAPrivilege Escalation
Broken Object Level Authorization (API BOLA)
OWASP API #1 — same as IDOR but on REST/GraphQL APIs; check every resource ID against the requester.
§ Where this technique fits
W-BOLA is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 5.5 on average.
§ Dossiers chaining this technique
- step 5 / 6
GraphQL introspection → BOLA → mass enum
GraphQL endpoint exposes its full schema. Discover an unauth'd or under-authorized resolver, enumerate every user's data by iterating IDs.
- step 6 / 6
Root detection + SSL pinning bypass → MITM the API
Rooted test device with Frida. Hook the app's root-detection and OkHttp CertificatePinner; route traffic through Burp to expose the entire authenticated API surface.
§ What commonly comes next
- 01Exfiltration Over C2 Channelseen 1×T1041 · Exfiltration