BOLA (formerly IDOR) remains the most critical vulnerability in the API security landscape. In Sinatra applications, this occurs when the application logic assumes that because a user is authenticated, they have permission to access any object they request via a parameter. To kill BOLA, you must implement strict object-level authorization checks that verify ownership before data is leaked or modified.

The Vulnerable Pattern

get '/api/profile/:id' do
  user_data = User.find(params[:id])
  halt 404 unless user_data
  user_data.to_json
end

The Secure Implementation

The vulnerable snippet trust-falls into the user's input. An attacker can iterate through ':id' values to scrape the entire database. The secure implementation uses 'Scoped Queries'. By traversing the relationship through the 'current_user' object, the database naturally filters out records that do not belong to the requester. If the ID exists but isn't linked to the requester, the result is nil, allowing for a clean 403 Forbidden or 404 Not Found response. Stop querying top-level models; always query through the owner's association.

get '/api/profile/:id' do
  # 1. Authenticate the session
  halt 401 unless current_user
2. Scope the lookup to the authenticated user’s context
This prevents accessing IDs belonging to other users
resource = current_user.profiles.find_by(id: params[:id])
3. Fail closed if the relationship doesn’t exist
halt 403, { error: ‘Unauthorized access to resource’ }.to_json unless resource
resource.to_json
end