7. Broken Object-Level Authorization (BOLA)
7. Broken Object-Level Authorization (BOLA)
Tools fail to bind resource access to user identity, allowing horizontal privilege escalation.
Example:
GET /get_report?id=9231 # Returns another user's report
Mitigation:
- Token-bound resource checks
- Alert on cross-tenant access