BOLA — Broken Object Level Authorization (API IDOR)

the server checks who you are but never checks whether the object you asked for is actually yours. Id-flips, the UUID myth, nested routes where only the prefix gets checked, multi-tenant SQL bleeds, write-side BOLA, GraphQL field exposure, and how to hunt it all at scale.