testing-api-for-broken-object-level-authorization

Featured

Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated user can access or modify resources belonging to other users by manipulating object identifiers in API requests. The tester intercepts API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with IDs belonging to other users to determine if the server enforces per-object authorization. This is OWASP API Security Top 10 2023 risk API1. Activates for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, or API access control bypass.

API & Backend 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Testing API for Broken Object Level Authorization ## When to Use - Assessing REST or GraphQL APIs that use object identifiers in URL paths, query parameters, or request bodies - Performing OWASP API Security Top 10 assessments where API1:2023 (BOLA) must be tested - Testing multi-tenant SaaS applications where users from different tenants should not access each other's data - Validating that API endpoints enforce per-object authorization checks beyond just authentication - Evaluating APIs after new endpoints are added to ensure authorization middleware is applied consistently **Do not use** without written authorization from the API owner. BOLA testing involves accessing or attempting to access other users' data, which requires explicit permission. ## Prerequisites - Written authorization specifying the target API endpoints and scope of testing - At least two test accounts with different privilege levels and distinct data sets - Burp Suite Professional or OWASP ZAP configured as an intercepting proxy - Authentication tokens (JWT, session cookies, API keys) for each test account - API documentation (OpenAPI/Swagger spec) or access to enumerate endpoints - Python 3.10+ with `requests` library for scripted testing - Autorize Burp extension installed for automated BOLA detection ## Workflow ### Step 1: API Endpoint Discovery and Object ID Mapping Enumerate all API endpoints and identify parameters that reference objects: **From OpenAPI/Swagger Specification:** ```bash ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

GraphQL · API

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

exploiting-idor-vulnerabilities

Identifying and exploiting Insecure Direct Object Reference vulnerabilities to access unauthorized resources by manipulating object identifiers in API requests and URLs.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-broken-object-property-level-authorization

Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive data exposure and mass assignment attacks.

12,642 Updated today
mukul975
AI & Automation Featured

exploiting-broken-function-level-authorization

Tests APIs for Broken Function Level Authorization (BFLA) vulnerabilities where regular users can invoke administrative functions or access privileged API endpoints by directly calling them. The tester identifies admin and privileged endpoints, then attempts to access them with regular user credentials by manipulating HTTP methods, URL paths, and request parameters. Maps to OWASP API5:2023 Broken Function Level Authorization. Activates for requests involving BFLA testing, admin endpoint bypass, function-level access control testing, or API privilege escalation.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-api-enumeration-attacks

Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier access patterns and authorization failures.

12,642 Updated today
mukul975
API & Backend Listed

api-breaker

Automated API security testing starting from domains. Discovers REST, GraphQL, and SOAP APIs, reconstructs schemas, and tests for BOLA/IDOR, BFLA, mass assignment, JWT attacks, rate limiting bypass, and business logic flaws. Use when user asks to "test API security", "break API", "find API vulnerabilities", "test GraphQL", "test JWT", "API pentest", or provides domains with API endpoints. For authorized testing only.

31 Updated today
KaQus