Broken Object Property Level Authorization (BOPLA)
detect, understand, remediate

What is broken object property level authorization (BOPLA)?

Broken object property level authorization (BOPLA) is an API authorisation failure that lives inside an object the caller is otherwise allowed to access. The route resolves, the object loads, and the wrong fields come back on a read or get accepted on a write. Authentication passes. Object-level authorisation passes. Function-level authorisation passes. The check that sits one level deeper, the per-field decision about which properties the principal may see and set on this object in this state, is missing or only partially enforced. The token is valid, the object is theirs, and the field is not.

OWASP ranks BOPLA third on the API Security Top 10 (API3:2023). The 2023 release folded two earlier categories into BOPLA: Excessive Data Exposure (the read side, where the API serialises more fields than the principal is entitled to see) and Mass Assignment (the write side, where the API auto-binds request fields the principal should not be allowed to set). BOPLA is the unified property-level failure that sits beneath both halves.

BOPLA is closely related to mass assignment and to sensitive data exposure, but the OWASP API Top 10 view is more precise. Mass assignment is the writer-side mechanism. Excessive data exposure is the reader-side symptom. BOPLA is the property-level authorisation gap that produces both. A clean modern report writes the finding as BOPLA, names the property, and identifies whether the failure is on the read path, the write path, or both.

BOPLA vs BOLA vs BFLA: where the line sits

The OWASP API Security Top 10 separates three authorisation classes that share a root cause but fail at different layers. BOLA fails at the object-by-ID layer. BFLA fails at the function-by-role layer. BOPLA fails at the property-by-field layer once the caller is already through the first two checks. A clean finding pins the failure to one of the three; a sloppy finding conflates two and the remediation guidance applies to neither.

How it works

Common causes

How to detect it

How to fix it

How to report a BOPLA finding

BOPLA findings are easy to demonstrate (one over-fetched response or one silently accepted write field) and structurally hard to remediate (because the fix sits in serialisation and binder policy, not in input validation). A clean report keeps the proof concrete, names the field, and points the remediation to the right architectural layer.

• Pin the finding to one concrete property on one concrete object. Name the field, the object type, and the role under which the gap was reproduced. Generic descriptions like "the API returns too much data" do not survive remediation discussion.
• Capture the full response for the read-side finding (so the over-fetched field is visible in evidence) or the request and post-write response for the write-side finding (so the silent acceptance is visible).
• Score the finding with a CVSS 3.1 vector that reflects the real impact. A self-promotion to admin via a role property change is integrity high, scope changed, often privileges high. A leaked email column is confidentiality low, integrity none. The vector matters.
• Distinguish single-property BOPLA from systemic BOPLA. A serialiser that emits the full model on every read, or a binder that accepts the full body on every write, is one architectural finding, not many independent issues, and the report should say so.
• Recommend a per-field allowlist policy at the serialisation and binder layer rather than a per-endpoint patch where the pattern is systemic. A list of patched endpoints does not protect the next object the team ships.

How SecPortal helps with BOPLA findings

SecPortal is the engagement record where authenticated scanner output, manual API findings, and remediation tracking live on the same engagement. For BOPLA specifically, the platform supports the workflow at four points.

• The authenticated scanner captures the response field set under a high-privilege session, replays the same routes under a low-privilege token, and flags response fields that should not have been served, surfacing read-side BOPLA gaps. Property-injection probes on PATCH and PUT bodies surface write-side BOPLA before manual triage starts.
• Findings management lets you log a BOPLA finding once with the CVSS 3.1 vector, the OWASP API3:2023 mapping, the captured request and response evidence, the property name, and the remediation guidance from the finding template library, then attach every recurring instance back to the same systemic finding rather than creating duplicate records.
• Code scanning via Semgrep surfaces serialisers that emit the full model and binders that accept the full request body, anchoring the BOPLA finding to a specific file and line in the connected repository so the systemic pattern sits alongside the proven instances.
• The branded client portal gives the engineering team the finding, the proof, the property name, and the remediation owner in one place. Retests pair to the original finding so the verification record is anchored to the original scope and the response field set under the new build is compared against the original gap.

For the wider API testing context, see the API security testing checklist and the API security testing use case. For the matching risk taxonomy, see the OWASP API Security Top 10 framework reference. For severity calibration on findings like BOPLA, see the research on severity calibration for pentest findings. AppSec and product security teams running this as part of an ongoing programme can read the AppSec teams view or the product security teams view to see how BOPLA findings sit alongside scanner-result triage, vulnerability prioritisation, and the SDLC handoff.

Where BOPLA fits in the AppSec lifecycle

Compliance impact