Definition

Broken Object Property Level Authorization (BOPLA) occurs when an API fails to properly control:

• What data fields a user can view (excess data exposure)
• What data fields a user can modify (mass assignment)

It combines two earlier OWASP issues:

• Mass Assignment (unsafe data updates)
• Excess Data Exposure (leaking too much data in responses)

Core idea

APIs should only expose and allow changes to the minimum necessary data for a user’s role and the specific use case.

When this is broken:

• Users can see more data than intended
• Users can modify fields they should not control

Mass Assignment (data manipulation risk)

Occurs when an API automatically binds user input to internal object properties without proper filtering.

Example:

• User submits:
  • account_type = “premium”
• API incorrectly accepts it