GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix BOLA (Broken Object Level Authorization)
in ServiceStack

Executive Summary

Broken Object Level Authorization (BOLA) is the #1 vulnerability in the OWASP API Security Top 10. In ServiceStack, it occurs when a service relies solely on an ID provided in the Request DTO to fetch data without verifying if the authenticated user has the right to access that specific resource. If you aren't scoping your OrmLite queries with the Session's UserAuthId, you're leaking data.

The Vulnerable Pattern

VULNERABLE CODE
[Authenticate]
public class OrderService : Service
{
    public object Get(GetOrder request)
    {
        // VULNERABLE: Any authenticated user can access any order ID
        var order = Db.SingleById(request.Id);
        return order;
    }
}

The Secure Implementation

The vulnerability lies in trusting the client-provided ID without context. To fix BOLA, you must enforce authorization at the object level. Instead of using 'SingleById', use a predicate that includes the 'UserAuthId' extracted from the 'GetSession()' method. By appending the owner check to the database query itself, you prevent ID enumeration attacks and ensure that 'null' is returned (leading to a 404 or 403) if a user attempts to access a resource they do not own.

SECURE CODE
[Authenticate]
public class OrderService : Service
{
    public object Get(GetOrder request)
    {
        var session = GetSession();

    // SECURE: Query is scoped to the specific UserAuthId from the session
    var order = Db.Single<Order>(x => 
        x.Id == request.Id && 
        x.OwnerId == session.UserAuthId);

    if (order == null)
        throw HttpError.NotFound($"Order {request.Id} not found.");

    return order;
}


}

System Alert • ID: 7242
Target: ServiceStack API
Potential Vulnerability

Your ServiceStack API might be exposed to BOLA (Broken Object Level Authorization)

74% of ServiceStack apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X