What is Broken Object Property Level Authorization (BOPLA), and how does it relate to mass assignment and excessive data exposure?

BOPLA (API3:2023, Broken Object Property Level Authorization) merges two earlier OWASP API risks: it covers cases where a user can read or write specific object properties they shouldn't, even if they're allowed to access the object itself. The write side is mass assignment / over-posting — sending isAdmin or balance in an update and having the API blindly bind it. The read side is excessive data exposure — the API returns the whole object (including passwordHash, ssn, internal flags) and relies on the client to hide fields. Defense for both: enforce a per-property allowlist for both input binding and output serialization (explicit DTOs/schemas), and never trust the client to filter sensitive properties.