Skip to content

BOLA Agent

The BOLA (Broken Object-Level Authorization) Agent autonomously tests authorization boundaries and access control mechanisms using multi-user authentication.

Capabilities

  • Tenant Isolation Testing: Tests data segregation between accounts with equivalent permission levels
  • Privilege Escalation Detection: Tests authorization controls between users with different privilege levels
  • Horizontal Authorization Testing: Validates tenant isolation boundaries
  • Vertical Authorization Testing: Validates privilege escalation boundaries

Configuration

Basic Configuration

Enable the BOLA agent:

ai_pentesting:
  enabled: true
  agents:
    bola:
      enabled: true

Multi-User Configuration

Configure users for authorization testing:

authentication:
  presets:
    - type: bearer_token
      users:
        - username: admin@tenant-a.com
          token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
          role: admin
          main_user: true
        - username: user@tenant-a.com
          token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
          role: user
        - username: admin@tenant-b.com
          token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
          role: admin

Configuration Fields:

  • main_user: Designates the user used for application exploration and as the victim in authorization testing (only one per scan)
  • role: Optional string describing user role (e.g., "admin", "user") to help agents understand permission levels
  • test_mode: Optional enum (privilege_escalation or tenant_isolation) to guide testing scenario
  • natural_language: Optional description to help agents understand user permissions

Testing Direction

The agent follows a unidirectional testing model:

  • Other users attempt to access the Main User's data and resources
  • Only endpoints accessible to the Main User are tested
  • For bidirectional testing, run separate scans with different main users

Tenant Isolation (symmetric permissions):

  • Configure users from different tenants with equivalent roles
  • Single-direction testing suffices (bidirectional by nature)

Privilege Escalation (asymmetric permissions):

  • Configure users with different privilege levels
  • May require bidirectional testing for comprehensive coverage

Requirements

  • Multiple Users: Requires at least two configured users
  • Authentication: Valid authentication required for all users
  • Main User: One user must be designated as main_user: true

Limitations

  • Requires multiple configured users
  • Authentication dependent
  • Tests within configured scope boundaries
  • Limited by scan timeout settings