How to fix BOLA (Broken Object Level Authorization)
in Plug
Executive Summary
BOLA (Broken Object Level Authorization) remains the apex predator of API vulnerabilities. In Elixir/Plug applications, this manifests when developers blindly trust client-supplied resource IDs. If your controller fetches a record by ID without scoping it to the authenticated user's context, you're leaking data. Stop relying on obscurity; enforce ownership at the query level.
The Vulnerable Pattern
def show(conn, %{"id" => id}) do # VULNERABLE: Direct access via ID. # An attacker can iterate 'id' to scrape the entire table. resource = Repo.get(UserResource, id)
render(conn, “show.json”, resource: resource) end
The Secure Implementation
The fix is mandatory Scoped Queries. Never use a global lookup like Repo.get/2 for resources that have an owner. Instead, use Repo.get_by/2 and include the owner_id from your authenticated session (conn.assigns). This ensures the database engine enforces authorization. If a user tries to access an ID they don't own, the application treats it as a 404, preventing both data leakage and resource enumeration.
def show(conn, %{"id" => id}) do user = conn.assigns.current_userSECURE: Query is scoped to the current user’s ID.
If the ID belongs to another user, Repo.get_by returns nil.
case Repo.get_by(UserResource, id: id, user_id: user.id) do nil -> conn |> put_status(:not_found) |> json(%{error: “Resource not found or access denied”})
resource -> render(conn, "show.json", resource: resource)
end end
Your Plug API
might be exposed to BOLA (Broken Object Level Authorization)
74% of Plug apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.