Access Control: Broken Object Level Authorization¶

Identifier: bola

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

Broken Object Level Authorization happens when an app lets users access objects by simply changing an identifier like a number or key without checking if they should really see that object. This might let an attacker look at or modify someone elses data. Developers often assume that passing an object reference is safe, and that weak security controls dont need to check if the requester owns that data. The danger is that if such basic checks are missing, critical information can be exposed or altered, leading to potential breaches or loss of trust in the application.

Execution conditions (BLST):

Enumeration BOLA runs when this test is enabled and preconditions pass: the exchange is OK, response is non-empty, operation is READ, and arguments are present.
Agentic IDOR runs only when this test is enabled, experimental.agentic_idor is enabled, there are at least two users, at least one graph, and at least one exchange.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  bola:
    do_not_fuzz: []
    skip: false

Reference¶

`do_not_fuzz`¶

Type : List[string]*

List of arguments to not fuzz for this security test.

`skip`¶

Type : boolean

Skip the test if true.