Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

BOLA and the legitimate request problem: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Broken Object Level Authorization remains the #1 API risk because valid tokens, clean syntax, and standard endpoints can still hide unauthorised access to accounts, records, and payment data, according to Upstream Security. The control failure is behavioural, not syntactic: perimeter tools that inspect requests in isolation cannot prove object-level authorisation.

NHIMG editorial — based on content published by Upstream Security: Rethinking the Perimeter, BOLA, and the illusion of the legitimate request

By the numbers:

Questions worth separating out

Q: How should security teams prevent BOLA in modern API environments?

A: Security teams should enforce object-level authorisation inside the application, not at the edge.

Q: Why do valid API requests still create breach risk?

A: Valid API requests still create breach risk because authentication proves the caller is known, not that the caller is entitled to the specific object.

Q: What do security teams get wrong about API perimeter controls?

A: They assume syntax inspection and request reputation are enough.

Practitioner guidance

  • Bind object access to authenticated subject context Require the application to verify that the caller is entitled to the specific record, booking, or resource requested, rather than trusting an identifier alone.
  • Instrument object-level access telemetry Log which identity accessed which object, at what rate, and through which transaction path, then alert on cross-object scraping and high-velocity enumeration.
  • Test for BOLA with business-context abuse cases Add negative tests that swap object IDs, replay booking codes, and vary session context across endpoints so security reviews prove the authorisation decision, not just the endpoint format.

What's in the full article

Upstream Security's full article covers the operational detail this post intentionally leaves for the source:

  • Endpoint-by-endpoint breakdown of how the airline reservation flaw exposed data.
  • Examples of why stateless WAF and gateway controls missed the abuse pattern.
  • Discussion of runtime behavioural analysis for detecting object enumeration.
  • The article's own framing of AI agents and MCP servers in the perimeter debate.

👉 Read Upstream Security's analysis of BOLA and the legitimate request problem →

BOLA and the legitimate request problem: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

BOLA is an object-authorisation failure, not a perimeter failure. The article is right to frame the problem as legitimate traffic that breaks business context. Traditional controls can verify syntax, source, and token validity while still missing the one decision that matters: whether the caller may access that specific object. Practitioners should treat BOLA as evidence that access control has moved inside the application decision path, where network controls cannot see it.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
  • 48% of companies cannot track and audit the data their AI agents access, leaving them with a compliance and investigation blind spot, according to AI Agents: The New Attack Surface report.

A question worth separating out:

Q: Who is accountable when policy-based access controls fail?

A: Accountability sits with the identity, security, and business owners who define policy, approve exceptions, and accept residual risk. If access decisions are not tied to clear ownership and evidence, failures become hard to explain during audit, incident response, or regulatory review. Governance only works when someone owns the policy outcome.

👉 Read our full editorial: BOLA exposes why the legitimate request is no longer trustworthy



   
ReplyQuote
Share: