BOLA — Broken Object Level Authorization TL;DR: Endpoint takes an object ID and returns data without checking the caller owns it. The classic IDOR-of-APIs. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/