Skip to content

Access Control: Broken Object Level Authorization

Identifier: bola

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

Broken Object Level Authorization occurs when applications allow users to access objects by changing identifiers without verifying ownership, potentially allowing attackers to access or modify other users' data.

How we test: We test access controls by modifying object identifiers in requests and analyzing responses to detect if unauthorized access is possible. We check if the application properly validates that users can only access objects they own or are authorized to view.

Execution conditions (BLST):

  • Enumeration BOLA runs when this test is enabled and preconditions pass: the exchange is OK, response is non-empty, operation is READ, and arguments are present.
  • Agentic IDOR runs only when this test is enabled, experimental.agentic_idor is enabled, there are at least two users, at least one graph, and at least one exchange.

Configuration

Example

Example configuration:

---
security_tests:
  bola:
    do_not_fuzz: []
    skip: false

Reference

do_not_fuzz

Type : List[string]*

List of arguments to not fuzz for this security test.

skip

Type : boolean

Skip the test if true.