Automatic Protection Against BOLA Attacks 
¶
Newer version available
This article describes REST only API Discovery - since May 2025, the newer version supporting both REST and GraphQL and having improved performance is available.
Behavioral attacks such as Broken Object Level Authorization (BOLA) exploit the vulnerability of the same name. This vulnerability allows an attacker to access an object by its identifier via an API request and either read or modify its data bypassing an authorization mechanism.
Potential targets of the BOLA attacks are endpoints with variability. Wallarm can automatically discover and protect such endpoints among the ones explored by the API Discovery module.
To enable automatic BOLA protection, proceed to Wallarm Console → BOLA protection and turn the switch to the enabled state:
Each protected API endpoint will be highlighted with the corresponding icon in the API inventory, e.g.:
You can filter API endpoints by the BOLA auto protection state. The corresponding parameter is available under the Others filter.