GuardAPI Logo
GuardAPI

Fix BOLA (Broken Object Level Authorization) in Axum

BOLA (Broken Object Level Authorization), formerly IDOR, is the apex predator of API vulnerabilities. In Axum, it occurs when your route handlers trust the `Path` or `Query` parameters without verifying that the authenticated user actually owns the resource. If you're fetching `/api/orders/{id}` and only checking if the ID exists, any user can scrape your entire database by incrementing integers. To kill BOLA, you must enforce ownership at the database query level using identity context.

The Vulnerable Pattern

async fn get_order(Path(order_id): Path, Extension(pool): Extension) -> Result, StatusCode> {
    // VULNERABLE: No ownership check. Any authenticated user can access any order_id.
    let order = sqlx::query_as!(Order, "SELECT * FROM orders WHERE id = $1", order_id)
        .fetch_one(&pool)
        .await
        .map_err(|_| StatusCode::NOT_FOUND)?;

Ok(Json(order))


}

The Secure Implementation

The fix involves two layers: 1. Identity Extraction: Use an Axum extractor (like `Claims` or `CurrentUser`) to pull the validated user ID from the session or JWT. 2. Scoped Queries: Never query by object ID alone. Always include the `user_id` in the `WHERE` clause. This ensures the database engine enforces authorization, preventing unauthorized data access even if the application logic is complex. For multi-tenant systems, use a `tenant_id` check. Returning a `404 Not Found` instead of a `403 Forbidden` is often preferred to prevent attackers from confirming the existence of resources they don't own.

async fn get_order(
    Path(order_id): Path,
    auth: Claims, // Custom extractor verifying JWT/Session
    Extension(pool): Extension
) -> Result, StatusCode> {
    // SECURE: Query is scoped to the authenticated user_id.
    // Even if the user guesses an order_id, the database returns nothing if they don't own it.
    let order = sqlx::query_as!(Order, 
        "SELECT * FROM orders WHERE id = $1 AND user_id = $2", 
        order_id, 
        auth.user_id
    )
    .fetch_optional(&pool)
    .await
    .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;

match order {
    Some(o) => Ok(Json(o)),
    None => Err(StatusCode::NOT_FOUND), // Return 404 to prevent resource enumeration
}


}

System Alert • ID: 9172
Target: Axum API
Potential Vulnerability

Your Axum API might be exposed to BOLA (Broken Object Level Authorization)

74% of Axum apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X