Understanding Broken Object Level Authorization: The Quiet Access Control Failure Undermining Today’s Apps

3/5/2026 12:00:00 PM [(UTC-05:00) Eastern Time (US & Canada)] - Can't make the live event? Register anyway to receive a link to the recording.

Show/Hide All Time Zones

All Time Zones

Dateline Standard Time-(UTC-12:00) International Date Line West 3/5/2026 5:00:00 AM
UTC-11-(UTC-11:00) Coordinated Universal Time-11 3/5/2026 6:00:00 AM
Aleutian Standard Time-(UTC-10:00) Aleutian Islands 3/5/2026 7:00:00 AM
Hawaiian Standard Time-(UTC-10:00) Hawaii 3/5/2026 7:00:00 AM
Marquesas Standard Time-(UTC-09:30) Marquesas Islands 3/5/2026 7:30:00 AM
Alaskan Standard Time-(UTC-09:00) Alaska 3/5/2026 8:00:00 AM
UTC-09-(UTC-09:00) Coordinated Universal Time-09 3/5/2026 8:00:00 AM
Pacific Standard Time (Mexico)-(UTC-08:00) Baja California 3/5/2026 9:00:00 AM
UTC-08-(UTC-08:00) Coordinated Universal Time-08 3/5/2026 9:00:00 AM
Pacific Standard Time-(UTC-08:00) Pacific Time (US & Canada) 3/5/2026 9:00:00 AM
US Mountain Standard Time-(UTC-07:00) Arizona 3/5/2026 10:00:00 AM
Mountain Standard Time (Mexico)-(UTC-07:00) La Paz, Mazatlan 3/5/2026 10:00:00 AM
Mountain Standard Time-(UTC-07:00) Mountain Time (US & Canada) 3/5/2026 10:00:00 AM
Yukon Standard Time-(UTC-07:00) Yukon 3/5/2026 10:00:00 AM
Central America Standard Time-(UTC-06:00) Central America 3/5/2026 11:00:00 AM
Central Standard Time-(UTC-06:00) Central Time (US & Canada) 3/5/2026 11:00:00 AM
Easter Island Standard Time-(UTC-06:00) Easter Island 3/5/2026 12:00:00 PM
Central Standard Time (Mexico)-(UTC-06:00) Guadalajara, Mexico City, Monterrey 3/5/2026 11:00:00 AM
Canada Central Standard Time-(UTC-06:00) Saskatchewan 3/5/2026 11:00:00 AM
SA Pacific Standard Time-(UTC-05:00) Bogota, Lima, Quito, Rio Branco 3/5/2026 12:00:00 PM
Eastern Standard Time (Mexico)-(UTC-05:00) Chetumal 3/5/2026 12:00:00 PM
Eastern Standard Time-(UTC-05:00) Eastern Time (US & Canada) 3/5/2026 12:00:00 PM
Haiti Standard Time-(UTC-05:00) Haiti 3/5/2026 12:00:00 PM
Cuba Standard Time-(UTC-05:00) Havana 3/5/2026 12:00:00 PM
US Eastern Standard Time-(UTC-05:00) Indiana (East) 3/5/2026 12:00:00 PM
Turks And Caicos Standard Time-(UTC-05:00) Turks and Caicos 3/5/2026 12:00:00 PM
Paraguay Standard Time-(UTC-04:00) Asuncion 3/5/2026 2:00:00 PM
Atlantic Standard Time-(UTC-04:00) Atlantic Time (Canada) 3/5/2026 1:00:00 PM
Venezuela Standard Time-(UTC-04:00) Caracas 3/5/2026 1:00:00 PM
Central Brazilian Standard Time-(UTC-04:00) Cuiaba 3/5/2026 1:00:00 PM
SA Western Standard Time-(UTC-04:00) Georgetown, La Paz, Manaus, San Juan 3/5/2026 1:00:00 PM
Pacific SA Standard Time-(UTC-04:00) Santiago 3/5/2026 2:00:00 PM
Newfoundland Standard Time-(UTC-03:30) Newfoundland 3/5/2026 1:30:00 PM
Tocantins Standard Time-(UTC-03:00) Araguaina 3/5/2026 2:00:00 PM
E. South America Standard Time-(UTC-03:00) Brasilia 3/5/2026 2:00:00 PM
SA Eastern Standard Time-(UTC-03:00) Cayenne, Fortaleza 3/5/2026 2:00:00 PM
Argentina Standard Time-(UTC-03:00) City of Buenos Aires 3/5/2026 2:00:00 PM
Montevideo Standard Time-(UTC-03:00) Montevideo 3/5/2026 2:00:00 PM
Magallanes Standard Time-(UTC-03:00) Punta Arenas 3/5/2026 2:00:00 PM
Saint Pierre Standard Time-(UTC-03:00) Saint Pierre and Miquelon 3/5/2026 2:00:00 PM
Bahia Standard Time-(UTC-03:00) Salvador 3/5/2026 2:00:00 PM
UTC-02-(UTC-02:00) Coordinated Universal Time-02 3/5/2026 3:00:00 PM
Greenland Standard Time-(UTC-02:00) Greenland 3/5/2026 3:00:00 PM
Mid-Atlantic Standard Time-(UTC-02:00) Mid-Atlantic - Old 3/5/2026 3:00:00 PM
Azores Standard Time-(UTC-01:00) Azores 3/5/2026 4:00:00 PM
Cape Verde Standard Time-(UTC-01:00) Cabo Verde Is. 3/5/2026 4:00:00 PM
UTC-(UTC) Coordinated Universal Time 3/5/2026 5:00:00 PM
GMT Standard Time-(UTC+00:00) Dublin, Edinburgh, Lisbon, London 3/5/2026 5:00:00 PM
Greenwich Standard Time-(UTC+00:00) Monrovia, Reykjavik 3/5/2026 5:00:00 PM
Sao Tome Standard Time-(UTC+00:00) Sao Tome 3/5/2026 5:00:00 PM
Morocco Standard Time-(UTC+01:00) Casablanca 3/5/2026 5:00:00 PM
W. Europe Standard Time-(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna 3/5/2026 6:00:00 PM
Central Europe Standard Time-(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague 3/5/2026 6:00:00 PM
Romance Standard Time-(UTC+01:00) Brussels, Copenhagen, Madrid, Paris 3/5/2026 6:00:00 PM
Central European Standard Time-(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb 3/5/2026 6:00:00 PM
W. Central Africa Standard Time-(UTC+01:00) West Central Africa 3/5/2026 6:00:00 PM
GTB Standard Time-(UTC+02:00) Athens, Bucharest 3/5/2026 7:00:00 PM
Middle East Standard Time-(UTC+02:00) Beirut 3/5/2026 7:00:00 PM
Egypt Standard Time-(UTC+02:00) Cairo 3/5/2026 7:00:00 PM
E. Europe Standard Time-(UTC+02:00) Chisinau 3/5/2026 7:00:00 PM
West Bank Standard Time-(UTC+02:00) Gaza, Hebron 3/5/2026 7:00:00 PM
South Africa Standard Time-(UTC+02:00) Harare, Pretoria 3/5/2026 7:00:00 PM
FLE Standard Time-(UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius 3/5/2026 7:00:00 PM
Israel Standard Time-(UTC+02:00) Jerusalem 3/5/2026 7:00:00 PM
South Sudan Standard Time-(UTC+02:00) Juba 3/5/2026 7:00:00 PM
Kaliningrad Standard Time-(UTC+02:00) Kaliningrad 3/5/2026 7:00:00 PM
Sudan Standard Time-(UTC+02:00) Khartoum 3/5/2026 7:00:00 PM
Libya Standard Time-(UTC+02:00) Tripoli 3/5/2026 7:00:00 PM
Namibia Standard Time-(UTC+02:00) Windhoek 3/5/2026 7:00:00 PM
Jordan Standard Time-(UTC+03:00) Amman 3/5/2026 8:00:00 PM
Arabic Standard Time-(UTC+03:00) Baghdad 3/5/2026 8:00:00 PM
Syria Standard Time-(UTC+03:00) Damascus 3/5/2026 8:00:00 PM
Turkey Standard Time-(UTC+03:00) Istanbul 3/5/2026 8:00:00 PM
Arab Standard Time-(UTC+03:00) Kuwait, Riyadh 3/5/2026 8:00:00 PM
Belarus Standard Time-(UTC+03:00) Minsk 3/5/2026 8:00:00 PM
Russian Standard Time-(UTC+03:00) Moscow, St. Petersburg 3/5/2026 8:00:00 PM
E. Africa Standard Time-(UTC+03:00) Nairobi 3/5/2026 8:00:00 PM
Volgograd Standard Time-(UTC+03:00) Volgograd 3/5/2026 8:00:00 PM
Iran Standard Time-(UTC+03:30) Tehran 3/5/2026 8:30:00 PM
Arabian Standard Time-(UTC+04:00) Abu Dhabi, Muscat 3/5/2026 9:00:00 PM
Astrakhan Standard Time-(UTC+04:00) Astrakhan, Ulyanovsk 3/5/2026 9:00:00 PM
Azerbaijan Standard Time-(UTC+04:00) Baku 3/5/2026 9:00:00 PM
Russia Time Zone 3-(UTC+04:00) Izhevsk, Samara 3/5/2026 9:00:00 PM
Mauritius Standard Time-(UTC+04:00) Port Louis 3/5/2026 9:00:00 PM
Saratov Standard Time-(UTC+04:00) Saratov 3/5/2026 9:00:00 PM
Georgian Standard Time-(UTC+04:00) Tbilisi 3/5/2026 9:00:00 PM
Caucasus Standard Time-(UTC+04:00) Yerevan 3/5/2026 9:00:00 PM
Afghanistan Standard Time-(UTC+04:30) Kabul 3/5/2026 9:30:00 PM
West Asia Standard Time-(UTC+05:00) Ashgabat, Tashkent 3/5/2026 10:00:00 PM
Qyzylorda Standard Time-(UTC+05:00) Astana 3/5/2026 10:00:00 PM
Ekaterinburg Standard Time-(UTC+05:00) Ekaterinburg 3/5/2026 10:00:00 PM
Pakistan Standard Time-(UTC+05:00) Islamabad, Karachi 3/5/2026 10:00:00 PM
India Standard Time-(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi 3/5/2026 10:30:00 PM
Sri Lanka Standard Time-(UTC+05:30) Sri Jayawardenepura 3/5/2026 10:30:00 PM
Nepal Standard Time-(UTC+05:45) Kathmandu 3/5/2026 10:45:00 PM
Central Asia Standard Time-(UTC+06:00) Bishkek 3/5/2026 11:00:00 PM
Bangladesh Standard Time-(UTC+06:00) Dhaka 3/5/2026 11:00:00 PM
Omsk Standard Time-(UTC+06:00) Omsk 3/5/2026 11:00:00 PM
Myanmar Standard Time-(UTC+06:30) Yangon (Rangoon) 3/5/2026 11:30:00 PM
SE Asia Standard Time-(UTC+07:00) Bangkok, Hanoi, Jakarta 3/6/2026 12:00:00 AM
Altai Standard Time-(UTC+07:00) Barnaul, Gorno-Altaysk 3/6/2026 12:00:00 AM
W. Mongolia Standard Time-(UTC+07:00) Hovd 3/6/2026 12:00:00 AM
North Asia Standard Time-(UTC+07:00) Krasnoyarsk 3/6/2026 12:00:00 AM
N. Central Asia Standard Time-(UTC+07:00) Novosibirsk 3/6/2026 12:00:00 AM
Tomsk Standard Time-(UTC+07:00) Tomsk 3/6/2026 12:00:00 AM
China Standard Time-(UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi 3/6/2026 1:00:00 AM
North Asia East Standard Time-(UTC+08:00) Irkutsk 3/6/2026 1:00:00 AM
Singapore Standard Time-(UTC+08:00) Kuala Lumpur, Singapore 3/6/2026 1:00:00 AM
W. Australia Standard Time-(UTC+08:00) Perth 3/6/2026 1:00:00 AM
Taipei Standard Time-(UTC+08:00) Taipei 3/6/2026 1:00:00 AM
Ulaanbaatar Standard Time-(UTC+08:00) Ulaanbaatar 3/6/2026 1:00:00 AM
Aus Central W. Standard Time-(UTC+08:45) Eucla 3/6/2026 1:45:00 AM
Transbaikal Standard Time-(UTC+09:00) Chita 3/6/2026 2:00:00 AM
Tokyo Standard Time-(UTC+09:00) Osaka, Sapporo, Tokyo 3/6/2026 2:00:00 AM
North Korea Standard Time-(UTC+09:00) Pyongyang 3/6/2026 2:00:00 AM
Korea Standard Time-(UTC+09:00) Seoul 3/6/2026 2:00:00 AM
Yakutsk Standard Time-(UTC+09:00) Yakutsk 3/6/2026 2:00:00 AM
Cen. Australia Standard Time-(UTC+09:30) Adelaide 3/6/2026 3:30:00 AM
AUS Central Standard Time-(UTC+09:30) Darwin 3/6/2026 2:30:00 AM
E. Australia Standard Time-(UTC+10:00) Brisbane 3/6/2026 3:00:00 AM
AUS Eastern Standard Time-(UTC+10:00) Canberra, Melbourne, Sydney 3/6/2026 4:00:00 AM
West Pacific Standard Time-(UTC+10:00) Guam, Port Moresby 3/6/2026 3:00:00 AM
Tasmania Standard Time-(UTC+10:00) Hobart 3/6/2026 4:00:00 AM
Vladivostok Standard Time-(UTC+10:00) Vladivostok 3/6/2026 3:00:00 AM
Lord Howe Standard Time-(UTC+10:30) Lord Howe Island 3/6/2026 4:00:00 AM
Bougainville Standard Time-(UTC+11:00) Bougainville Island 3/6/2026 4:00:00 AM
Russia Time Zone 10-(UTC+11:00) Chokurdakh 3/6/2026 4:00:00 AM
Magadan Standard Time-(UTC+11:00) Magadan 3/6/2026 4:00:00 AM
Norfolk Standard Time-(UTC+11:00) Norfolk Island 3/6/2026 5:00:00 AM
Sakhalin Standard Time-(UTC+11:00) Sakhalin 3/6/2026 4:00:00 AM
Central Pacific Standard Time-(UTC+11:00) Solomon Is., New Caledonia 3/6/2026 4:00:00 AM
Russia Time Zone 11-(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky 3/6/2026 5:00:00 AM
New Zealand Standard Time-(UTC+12:00) Auckland, Wellington 3/6/2026 6:00:00 AM
UTC+12-(UTC+12:00) Coordinated Universal Time+12 3/6/2026 5:00:00 AM
Fiji Standard Time-(UTC+12:00) Fiji 3/6/2026 5:00:00 AM
Kamchatka Standard Time-(UTC+12:00) Petropavlovsk-Kamchatsky - Old 3/6/2026 5:00:00 AM
Chatham Islands Standard Time-(UTC+12:45) Chatham Islands 3/6/2026 6:45:00 AM
UTC+13-(UTC+13:00) Coordinated Universal Time+13 3/6/2026 6:00:00 AM
Tonga Standard Time-(UTC+13:00) Nuku'alofa 3/6/2026 6:00:00 AM
Samoa Standard Time-(UTC+13:00) Samoa 3/6/2026 6:00:00 AM
Line Islands Standard Time-(UTC+14:00) Kiritimati Island 3/6/2026 7:00:00 AM

Webinar Registration

Broken Object Level Authorization (BOLA) isn’t new, but it is the most consistently exploited access control failure in modern applications—cloud, API-driven, and even line-of-business systems. And the reason is simple: developers keep trusting the client, and security teams keep assuming authorization is happening somewhere else. Meanwhile, attackers quietly enumerate object IDs, pivot through APIs, and harvest data they were never supposed to see.

If you’ve been a part of the coding and security worlds since the 80’s it’s fascinating how much coding is the same, but how much changes in the context in which code executes can affect the security dynamics.  OWASP API1:2023 – Broken Object Level Authorization – is a great example of what I’m talking about.  For my entire career it’s been best practice – and kind of obvious – to use a unique ID to reference objects (i.e. records, rows).  (You can trace the concept back to at least 1976 in a paper by Owlett and Todd but most of us learn about it from relational db concepts Codd first wrote about a few years later.)  This key is called a surrogate key or synthetic private key.  It can be an integer, UUID or any other sequence of bytes that are unique to that object and never needs to change for the life of that object. 

For decades after that we’ve all been merrily – and securely – referencing object IDs and accepting them as parameters without need to worry about whether the calling function could be trusted because we controlled all the code and the code ran on systems under our control. 

So, we didn’t really need to worry if, say, we were writing a UpdateCustomerPhoneNumber(int CustId, string PhoneNumber) function, whether the customer ID supplied in the parameter reference a customer the end-user had authority to change or not.  We could verify by looking at UI source code that the user had only been presented by accounts they were authorized to update in the first place.  And since we controlled the code and the system it was running on, we could rely on those upstream checks.

(One could argue that the short-lived client/server model of apps was vulnerable to broken object level authorization – and one of my managers in the 90s even made that argument – but the client apps were usually running on a private network on systems managed by the same organization and frankly we weren’t very worried about someone taking the client EXE, de-compiling it and working out how to impersonate the client to fool the server side.  Before we knew it, client/server was replaced by web apps and the front-end even for internal apps was browser-based.)

Until fairly recently, even in web applications it was safe to rely on object IDs and prior authorization checks since all the meaningful programing logic and business rules ran on the application server and there were integrity checks made on session data received back from the web browser client.

My perhaps long-winded point is that there are literally decades of travel worn into the road of passing, receiving and acting up on object IDs without thinking twice about it and you were more or less safe doing so in the coding contexts all that time.

But the context has shifted in today’s code and with it the security dynamics.

The new context that so much code runs in today is the API.  Now, the term API (application programming interface) has been around for decades as well but an API in 2026 is not the same thing as an API from a few years ago.

Today when you talk about APIs you don’t just mean a set of function calls that have been published in such a way that a different program can call them.  The term API has accreted added meaning that that interface is now published to the internet and can potentially be called by anything and anyone (assuming authentication passes). 

With modern APIs there can be no reliance on prior authorization checks having limited which object IDs show up in later calls.

In this real training for free session, I’ll be exploring Broken Object Level Authorization.  I’ll show you coding examples with the vulnerability and then show you how to identify code where this hole is plugged. 

Then we’ll get straight to what matters: how BOLA actually happens in real systems, why traditional security reviews miss it, and what you can do to detect and prevent it across your environment. We’ll walk through concrete examples—REST APIs, GraphQL, microservices, and even older monolithic apps—to show how subtle logic oversights turn into full-blown data exposure.

You’ll learn:

  • Why object-level authorization is fundamentally different from role-based access control—and why confusing the two leads to catastrophic blind spots
  • How attackers discover and exploit insecure direct object references (IDOR) using nothing more than predictable identifiers and unauthenticated endpoints
  • How to instrument your applications, APIs, and gateways to enforce server-side authorization checks consistently and centrally
  • Practical detection strategies using logs, API gateways, and behavioral analytics to spot enumeration and unauthorized access attempts
  • A repeatable review methodology you can apply to any application—legacy or cloud-native—to uncover BOLA issues before attackers do

Our sponsor for this real training for free event is A10 Networks and Carlo Alpuerto will speak to using the attacker centric approach to addressing security against this type of attack.

Please join us for this real training for free session.
First Name:  
Last Name:  
Work Email:  
Phone:
Job Title:
Organization:
Country:
State:
Industry:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.
 

 

Upcoming Webinars
Additional Resources