api-authorization-and-bola
OfficialDetect and exploit API object authorization flaws
System Documentation
What problem does it solve?
APIs often expose object identifiers, nested resources, or hidden writable fields that allow unauthorized users to read, modify, or perform privileged functions on other users' data; this skill provides a focused playbook to systematically find those authorization weaknesses (BOLA/IDOR, function-level flaws, and mass assignment).
Core Features & Use Cases
- Core test loop: Create Account A and Account B, capture create/read/update/delete flows as Account A, then replay those flows with Account B's token to confirm access control failures.
- Surface coverage: Tests object read paths, nested resources, alternate HTTP verbs, admin/internal endpoints, and hidden JSON fields such as role, org, verified, and tier.
- Payloads & heuristics: Provides quick JSON payloads for mass-assignment checks and lists common tester oversights like IDs in headers, cookies, GraphQL args, and sibling endpoints.
- Use Case: Use during bug bounty or pentest engagements to validate object-level authorization and function-level access controls across REST and GraphQL APIs.
Quick Start
Use the api-authorization-and-bola skill to test an API by creating two users, exercising full CRUD flows with one user, and replaying those requests with the second user's token to identify unauthorized object or function access.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: api-authorization-and-bola Download link: https://github.com/yaklang/hack-skills/archive/main.zip#api-authorization-and-bola Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.