Exploiting BOLA and Broken Authentication in DVRA API

BOLA happens when: The API does NOT properly check whether a user is allowed to access a specific object (like an order or profile). IDOR is a type of BOLA where: The application exposes object IDs directly and does not validate ownership. Broken Authentication This occurs when: Login/session handling is weak Tokens can be forged or reused Identity is not properly verified Example: Using a fake or modified token to access another account 🔑 JWT (JSON Web Token) JWT is used for authentication. Structure: HEADER.PAYLOAD.SIGNATURE