Multi-User BOLA Testing¶
Multi-user testing validates authorization boundaries by replaying authenticated requests across different user contexts to detect Broken Object-Level Authorization (BOLA), tenant isolation violations, and privilege escalation vulnerabilities.
Primary Use Cases¶
Tenant Isolation (Symmetric Permissions): Validates data segregation between users with equivalent roles across different tenants or organizations (horizontal authorization boundaries).
Privilege Escalation (Asymmetric Permissions): Validates authorization controls between users with different privilege levels within the same tenant (vertical authorization boundaries).
Detection Capabilities¶
The scanner supports three approaches for defining authorization rules:
- Agentic AI Natural Language Rules: Authorization policies defined in plain language and automatically translated into detection logic
- Permission Matrix Import: Structured role-based access control definitions for systematic validation
- Automatic BOLA Scanning: Fingerprint-based detection of unauthorized data access without manual configuration
Documentation¶
- Use Cases: Tenant isolation and privilege escalation scenarios with implementation guidance
- Configuration Guide: Detection methods, main user concept, and testing direction
- WebApp Examples: Browser-based multi-user testing patterns
- API Examples: API-focused testing patterns with bearer tokens and headers
Related Documentation¶
- Authentication Configuration: Credential acquisition and authentication flow setup
- Custom Rules - Detectors: Detection rule syntax and extensibility
Index¶
- Multi-User Testing
- Configuration Guide
- WebApp Examples
- API Examples