Broken Object Level Authorization (BOLA) is consistently ranked the most critical API security vulnerability, yet the existing literature remains almost entirely conceptual. This paper presents one of the first large-scale empirical analyses of BOLA in publicly disclosed bug bounty reports. We constructed a reproducible sampling frame of 200 HackerOne disclosures tagged IDOR or Improper Access Control (2021-2026) and applied a three-criterion inclusion filter, yielding 107 fully classified reports. Classification used an LLM-assisted schema-completion procedure under constrained, human-adjudicated criteria against a six-family BOLA taxonomy. Of 107 classified reports, 84 (78.5%) were confirmed in-scope BOLA. Action-Level Object BOLA, defined by unauthorized state-changing actions on another user's objects, accounts for 41.7% of confirmed cases and emerges alongside Direct Object Reference BOLA as one of the two dominant families observed in the dataset. This shows a pattern historically underrepresented in practitioner guidance. Approximately 21.5% of classified reports are out-of-scope under strict criteria, indicating that tag-counting on platforms like HackerOne significantly overstates the BOLA-specific signal. We report distributions across family, action type, authorization direction, industry sector, identifier format, and exploit mechanism. Key secondary findings include an 11.9% rate of vertical (user-to-admin) privilege failures and systematic exploitation of GraphQL Global IDs across major platforms. Findings have direct implications for API security testing protocols, developer education, and OWASP guidance.

翻译：对象级权限绕过漏洞持续位列最关键的API安全风险，然而现有文献几乎仍停留在概念层面。本文首次对公开披露的漏洞悬赏报告中对象级权限绕过案例进行大规模实证分析。我们构建了可复现的200份HackerOne标记为IDOR或不当访问控制（2021-2026年）的披露报告抽样框架，应用三项包含性筛选标准后获得107份完整分类报告。分类过程采用基于LLM辅助的语义补全流程，在约束条件下由人类专家根据六族对象级权限绕过分类法进行裁决。在107份分类报告中，84份（78.5%）被确认为在测对象级权限绕过漏洞。其中，针对他人对象进行未授权状态变更行为的动作级对象权限绕过漏洞占确认案例的41.7%，与直接对象引用绕过漏洞共同构成数据集中观察到的两大主流类型。这一模式显示在从业者指南中历史上代表性不足的情况。约21.5%的分类报告在严格标准下属于非测范围，表明HackerOne等平台的标签计数显著高估了对象级权限绕过漏洞特异性信号。我们报告了本体类型、动作类型、授权方向、行业领域、标识符格式与利用机制的多维分布。关键次级发现包括11.9%的垂直权限提升失败率，以及跨主流平台对GraphQL全局ID的系统性利用。研究结果对API安全测试协议、开发者教育与OWASP指南具有直接指导意义。