Understanding the #1 OWASP API vulnerability, Broken Object Level Authorization

In this OWASP October session, Corey Ball, author of Hacking APIs joins Dan Barahona to explore why BOLA remains the most common and dangerous flaw in API ecosystems. Together, they unpack real-world breaches, explain why traditional testing often misses these issues, and walk through a live demo showing how attackers exploit weak object-level controls - and how to prevent them.

In this session, you’ll learn:

What causes BOLA and why it tops the OWASP API Top 10
Real-world BOLA exploits from USPS, McHire, Bumble, and robotics APIs
How authorization logic breaks - and how to test it correctly
Live demo: testing a vulnerable API using Postman & Burp Suite
Practical mitigation strategies for secure API design

This session is where theory meets hands-on security, the perfect start to OWASP October.

https://www.apisecuniversity.com/discord - Connect with us on Discord to discuss OWASP, bug bounty, API security, and more. Explore opportunities through the APIsec Ambassador Program, monthly scholarships, and exclusive tools like App Bolt for live traffic inspection and API analysis.

#APIsecUniversity #APISecurity #OWASPTop10 #BOLA #CoreyBall #HackingAPIs #BrokenObjectLevelAuthorization #PenTesting #AppSec #BugBounty #CTF #APIvulnerabilities #OWASP #CybersecurityEducation #SecurityTesting #APIhacking #APIsecurityTraining