Access Control: Multi User Access Control¶

Identifier: multi_user_access_control

Scanner(s) Support¶

Description¶

Multi-user access control vulnerabilities occur when systems fail to properly separate access between users, roles, or tenants, allowing unauthorized access or modification due to flawed authorization logic.

How we test: We replay the same requests with different authenticated users and compare responses to detect broken access control across user scopes (cross-tenant and RBAC/privilege boundaries).

Execution conditions (BLST):

• Runs when this test is enabled and preconditions pass: coverage is OK or EMPTY_RESPONSE, at least one other user exists, operation is READ/CREATE/ UPDATE, and arguments are present.
• Additional filters: denylisted paths are skipped, and READ checks are skipped when the response is empty.

By default, when no configuration is provided, the check will cover all paths and keys matching. Response similarity will be used to detect isolation violations.

References:

• https://blog.logrocket.com/authorization-access-control-graphql/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  multi_user_access_control:
    keys_matching:
    - card_number
    main_user: ''
    natural_language_rule: Ensure that a user's notes cannot be accessed by other
      users.
    other_users:
      detect:
      - if_: request.is_authenticated
        is_: true
        is_not: null
      - if_: helpers.fingerprints.same
        is_: true
        is_not: null
    paths:
    - /users/{id}
    skip: false
    specific_users: {}

Reference¶

keys_matching¶

Type : List[string]*

List of keys in a response body that will be compared between different users, to detect an isolation violation.

If the key values are the exact same between these users, an alert will be raised.

For example if you want to control the key card_number, you can use the following:

---
security_tests:
  multi_user_access_control:
    keys_matching:
    - card_number

main_user¶

Type : string

The main user to use for the check. It will be used as source of truth to detect isolation violations with all other users.

---
security_tests:
  multi_user_access_control:
    main_user: user1

natural_language_rule¶

Type : string

A natural language prompt to describe what should be checked for multi-user access control. This will be used to generate the rules to detect multi-user access control issues when analyzing the responses. You can review the generated rules in the alert details, or the scan logs with the prefix [Agentic - Multi User Access Control]

other_users¶

Type : MultiUserAccessControlRule*

The conditions to trigger the alert when comparing the original and switched responses. The list of conditions are combined with AND logic by default. By default, the conditions check if the request is authenticated and if the responses of both users have the same fingerprint.

paths¶

Type : List[string]*

List of paths that this check will cover. Add * to cover all paths.

For example if you want to control the path /users/{id}, you can use the following:

---
security_tests:
  multi_user_access_control:
    paths:
    - /users/{id}

To cover all paths, you can use the following:

---
security_tests:
  multi_user_access_control:
    paths:
    - '*'

skip¶

Type : boolean

Skip the test if true.

specific_users¶

Type : Dict[string, MultiUserAccessControlRule]

The conditions to trigger the alert when analyzing the responses between a given user and specific users. The list of conditions are combined with AND logic by default.

APILogicalAndDetector¶

and¶

Type : List[APILogicalAndDetector|APILogicalNotDetector|APILogicalOrDetector|FingerprintCountDetector|FingerprintsSameDetector|HelpersRequestCrudDetector|HelpersResponseIsSuccessfulDetector|JSONMatchesAllDetector|JSONMatchesCountDetector|RegexMatchesAllDetector|RegexMatchesCountDetector|RequestBodyJSONDetector|RequestBodyTextDetector|RequestHeadersDetector|RequestIsAuthenticatedDetector|RequestMethodDetector|RequestObjectDetector|RequestUserDetector|ResponseBodyJSONDetector|ResponseBodyTextDetector|ResponseDurationDetector|ResponseHeadersDetector|ResponseObjectDetector|ResponseStatusCodeDetector|ScanTypeDetector|SchemaNeedAuthenticationDetector|SchemaPathRefDetector|SchemaUrlDetector|VariableDefinedDetector]*

Logical and on a list of detectors

if¶

Type : Const[and]*

Use this to apply a logical and on a list of detectors.

Example¶

detect:
  - if: and
    and:
      - if: helpers.request.crud
        in:
          - CREATE
          - UPDATE
      - if: response.status_code
        is: 200

APILogicalNotDetector¶

if¶

Type : Const[not]*

Use this to apply a logical not on a detector.

Example¶

detect:
  - if: not
    not:
      if: response.status_code
      is: 200

not¶

Type : APILogicalAndDetector|APILogicalNotDetector|APILogicalOrDetector|FingerprintCountDetector|FingerprintsSameDetector|HelpersRequestCrudDetector|HelpersResponseIsSuccessfulDetector|JSONMatchesAllDetector|JSONMatchesCountDetector|RegexMatchesAllDetector|RegexMatchesCountDetector|RequestBodyJSONDetector|RequestBodyTextDetector|RequestHeadersDetector|RequestIsAuthenticatedDetector|RequestMethodDetector|RequestObjectDetector|RequestUserDetector|ResponseBodyJSONDetector|ResponseBodyTextDetector|ResponseDurationDetector|ResponseHeadersDetector|ResponseObjectDetector|ResponseStatusCodeDetector|ScanTypeDetector|SchemaNeedAuthenticationDetector|SchemaPathRefDetector|SchemaUrlDetector|VariableDefinedDetector

Logical not of a detector

APILogicalOrDetector¶

if¶

Type : Const[or]*

Use this to apply a logical or on a list of detectors.

Example¶

detect:
  - if: or
    or:
      - if: helpers.request.crud
        in:
          - CREATE
          - UPDATE
      - if: response.status_code
        is: 200

or¶

Type : List[APILogicalAndDetector|APILogicalNotDetector|APILogicalOrDetector|FingerprintCountDetector|FingerprintsSameDetector|HelpersRequestCrudDetector|HelpersResponseIsSuccessfulDetector|JSONMatchesAllDetector|JSONMatchesCountDetector|RegexMatchesAllDetector|RegexMatchesCountDetector|RequestBodyJSONDetector|RequestBodyTextDetector|RequestHeadersDetector|RequestIsAuthenticatedDetector|RequestMethodDetector|RequestObjectDetector|RequestUserDetector|ResponseBodyJSONDetector|ResponseBodyTextDetector|ResponseDurationDetector|ResponseHeadersDetector|ResponseObjectDetector|ResponseStatusCodeDetector|ScanTypeDetector|SchemaNeedAuthenticationDetector|SchemaPathRefDetector|SchemaUrlDetector|VariableDefinedDetector]*

Logical or on a list of detectors

FingerprintCountDetector¶

gt¶

Type : integer

Condition is greater than this integer

if¶

Type : Const[helpers.fingerprints.count]*

Use this to select and compare the count of unique fingerprints of the current and original response.

in¶

Type : List[integer]

Condition is in this list of integers (exact match)

is¶

Type : integer

Condition is this exact integer

is_not¶

Type : integer

Condition is not this exact integer

lt¶

Type : integer

Condition is less than this integer

FingerprintsSameDetector¶

if¶

Type : Const[helpers.fingerprints.same]*

Use this to determine whether the current and original responses have the same fingerprint.

is¶

Type : boolean

Condition is true

is_not¶

Type : boolean

Condition is false

HelpersRequestCrudDetector¶

if¶

Type : Const[helpers.request.crud]*

Use this to select against the detected CRUD operation of the request.

Example¶

detect:
  - if: helpers.request.crud
    in:
      - CREATE
      - UPDATE

in¶

Type : List[CRUD]

Condition is the request is in this list of CRUD operations (exact match)

is¶

Type : CRUD

Condition is the request is this CRUD operation

is_not¶

Type : CRUD

Condition is the request is not this CRUD operation

HelpersResponseIsSuccessfulDetector¶

if¶

Type : Const[helpers.response.is_successful]*

True when the response status code is in the 2xx range.

Matcher type: BooleanMatcher · Operators: is

detect:
  - if: helpers.response.is_successful
    is: true

In context — combine with helpers.request.crud and request.is_authenticated to flag anonymous mutations:

{{ example: api/access_control/unauthenticated-mutation.yaml }}

is¶

Type : boolean

Condition is true

is_not¶

Type : boolean

Condition is false

JSONMatchesAllDetector¶

if¶

Type : Const[helpers.json_matches.all]*

Use this to determine whether every the current and original responses contain the same JSON fragment.

is¶

Type : boolean

Condition is true

is_not¶

Type : boolean

Condition is false

jq¶

Type : string

Use this to select the exact JSON you want to compare between the current and original response.

JSONMatchesCountDetector¶

gt¶

Type : integer

Condition is greater than this integer

if¶

Type : Const[helpers.json_matches.count]*

Use this to count the number of times a JSON match is in the current and original response.

in¶

Type : List[integer]

Condition is in this list of integers (exact match)

is¶

Type : integer

Condition is this exact integer

is_not¶

Type : integer

Condition is not this exact integer

jq¶

Type : string

Use this to select the exact JSON you want to compare between the current and original response.

lt¶

Type : integer

Condition is less than this integer

JsonValue¶

MultiUserAccessControlRule¶

detect¶

Type : List[APILogicalAndDetector|APILogicalNotDetector|APILogicalOrDetector|FingerprintCountDetector|FingerprintsSameDetector|HelpersRequestCrudDetector|HelpersResponseIsSuccessfulDetector|JSONMatchesAllDetector|JSONMatchesCountDetector|RegexMatchesAllDetector|RegexMatchesCountDetector|RequestBodyJSONDetector|RequestBodyTextDetector|RequestHeadersDetector|RequestIsAuthenticatedDetector|RequestMethodDetector|RequestObjectDetector|RequestUserDetector|ResponseBodyJSONDetector|ResponseBodyTextDetector|ResponseDurationDetector|ResponseHeadersDetector|ResponseObjectDetector|ResponseStatusCodeDetector|ScanTypeDetector|SchemaNeedAuthenticationDetector|SchemaPathRefDetector|SchemaUrlDetector|VariableDefinedDetector]*

The detectors to trigger the alert when analyzing the responses between the main user and other users.

ObjectTypeMatcher¶

in¶

Type : List[OBJECT_TYPE]

Object type is in the following list

is¶

Type : OBJECT_TYPE

Object type is exactly this type

is_not¶

Type : OBJECT_TYPE

Object type is any this type except this one

RegexMatchesAllDetector¶

if¶

Type : Const[helpers.regex_matches.all]*

Use this to determine whether every the current and original responses match the same regular expression.

is¶

Type : boolean

Condition is true

is_not¶

Type : boolean

Condition is false

regex¶

Type : string

Condition is matched on this regex with fullmatch

RegexMatchesCountDetector¶

gt¶

Type : integer

Condition is greater than this integer

if¶

Type : Const[helpers.regex_matches.count]*

Use this to count the number of times a regex match is in the current and original response.

in¶

Type : List[integer]

Condition is in this list of integers (exact match)

is¶

Type : integer

Condition is this exact integer

is_not¶

Type : integer

Condition is not this exact integer

lt¶

Type : integer

Condition is less than this integer

regex¶

Type : string

Condition is matched on this regex with fullmatch

RequestBodyJSONDetector¶

if¶

Type : Const[request.body.json]*

Use this to select and compare the request body when detected as JSON, using jq-like syntax.

Example 1¶

detect:
  - if: request.body.json
    is:
      id: 42

Example 2¶

detect:
  - if: request.body.json
    jq: '.role == admin'

in¶

Type : List[JsonValue]

Condition is in this list of JSON

is¶

Type : JsonValue

Condition is this exact JSON

is_not¶

Type : JsonValue

Condition is not this exact JSON

jq¶

Type : string

JQ query to match and use as boolean. If use_extraction is True, only this attribute will be parsed (if set).

use_extraction¶

Type : boolean

If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.

RequestBodyTextDetector¶

contains¶

Type : string

Contains this substring (case-insensitive)

if¶

Type : Const[request.body.text]*

Use this to select and compare the request body as text, using string compare.

Example¶

detect:
  - if: request.body.text
    contains: 'password='

in¶

Type : List[string]

Condition is in this list (case-insensitive)

is¶

Type : string

Condition is this string (case-insensitive)

is_not¶

Type : string

Condition is not this string (case-insensitive)

regex¶

Type : string

Condition is matched on this regex with fullmatch (case-insensitive)

use_extraction¶

Type : boolean

If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.

RequestHeadersDetector¶

if¶

Type : Const[request.headers]*

Use that to select and compare the request headers in a key value dictionary.

Example¶

detect:
  - if: request.headers
    key:
      is: 'X-OPERATION'
    value:
      is: 'PAY'

key¶

Type : StringMatcher

Key to match

value¶

Type : StringMatcher

Value to match

RequestIsAuthenticatedDetector¶

if¶

Type : Const[request.is_authenticated]*

Use this to select whether the request is authenticated.

Example¶

detect:
  - if: request.is_authenticated
    is: true

is¶

Type : boolean

Condition is true

is_not¶

Type : boolean

Condition is false

RequestMethodDetector¶

if¶

Type : Const[request.method]*

Use this to select against the request HTTP Method.

Example¶

detect:
  - if: request.method
    is: OPTIONS

in¶

Type : List[HTTPMethod]

Condition is the request is in this list of CRUD operations (exact match)

is¶

Type : HTTPMethod

Condition is the request is this CRUD operation

is_not¶

Type : HTTPMethod

Condition is the request is not this CRUD operation

RequestObjectDetector¶

if¶

Type : Const[request.object]*

Use this to select and compare the detected object scalars (including custom scalars) in the request, with their kind, name and value.

Example¶

detect:
  - if: request.object
    type:
      in:
        - email
        - phone
        - street_address

name¶

Type : StringMatcher

Object scalar name to match

type¶

Type : ObjectTypeMatcher

Object scalar type to match

value¶

Type : StringMatcher

Object scalar value to match

RequestUserDetector¶

contains¶

Type : string

Contains this substring (case-insensitive)

if¶

Type : Const[request.user]*

Match the user name attached to the request. The value must match a user defined in your scan authentication settings (the special user public represents an unauthenticated caller).

Matcher type: StringMatcher · Operators: is, is_not, contains, regex, in

detect:
  - if: request.user
    is: tester@example.com

In context — BOLA detection by replaying as a different user:

{{ example: api/access_control/bola-user-swap-fingerprint.yaml }}

in¶

Type : List[string]

Condition is in this list (case-insensitive)

is¶

Type : string

Condition is this string (case-insensitive)

is_not¶

Type : string

Condition is not this string (case-insensitive)

regex¶

Type : string

Condition is matched on this regex with fullmatch (case-insensitive)

use_extraction¶

Type : boolean

If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.

ResponseBodyJSONDetector¶

if¶

Type : Const[response.body.json]*

Use this to select and compare the response body when detected as JSON, using jq-like syntax.

Example 1¶

detect:
  - if: response.body.json
    is:
      id: 42

Example 2¶

detect:
  - if: response.body.json
    jq: '.role == admin'

in¶

Type : List[JsonValue]

Condition is in this list of JSON

is¶

Type : JsonValue

Condition is this exact JSON

is_not¶

Type : JsonValue

Condition is not this exact JSON

jq¶

Type : string

JQ query to match and use as boolean. If use_extraction is True, only this attribute will be parsed (if set).

use_extraction¶

Type : boolean

If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.

ResponseBodyTextDetector¶

contains¶

Type : string

Contains this substring (case-insensitive)

if¶

Type : Const[response.body.text]*

Use this to select and compare the response body as text, using string compare.

Example¶

detect:
  - if: request.body.text
    is_not: 'unauthorized'

in¶

Type : List[string]

Condition is in this list (case-insensitive)

is¶

Type : string

Condition is this string (case-insensitive)

is_not¶

Type : string

Condition is not this string (case-insensitive)

regex¶

Type : string

Condition is matched on this regex with fullmatch (case-insensitive)

use_extraction¶

Type : boolean

If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.

ResponseDurationDetector¶

gt¶

Type : integer

Condition is greater than this integer

if¶

Type : Const[response.duration_ms]*

Use this to compare the duration of the request in milliseconds.

Example¶

detect:
  - if: response.duration_ms
    gt: 200

in¶

Type : List[integer]

Condition is in this list of integers (exact match)

is¶

Type : integer

Condition is this exact integer

is_not¶

Type : integer

Condition is not this exact integer

lt¶

Type : integer

Condition is less than this integer

ResponseHeadersDetector¶

if¶

Type : Const[response.headers]*

Use that to select and compare the response headers in a key value dictionary.

Example¶

detect:
  - if: response.headers
    key:
      is: 'X-RESULT'
    value:
      is: 'PAID'

key¶

Type : StringMatcher

Key to match

value¶

Type : StringMatcher

Value to match

ResponseObjectDetector¶

if¶

Type : Const[response.object]*

Use this to select and compare the detected object scalars (including custom scalars) in the response, with their kind, name and value.

Example¶

detect:
  - if: response.object
    type:
      in:
        - email
        - phone
        - street_address

name¶

Type : StringMatcher

Object scalar name to match

type¶

Type : ObjectTypeMatcher

Object scalar type to match

value¶

Type : StringMatcher

Object scalar value to match

ResponseStatusCodeDetector¶

gt¶

Type : integer

Condition is greater than this integer

if¶

Type : Const[response.status_code]*

Match against the HTTP response status code.

Matcher type: IntegerMatcher · Operators: is, is_not, gt, lt, in

detect:
  - if: response.status_code
    in: [200, 206]

For simple success/failure checks prefer helpers.response.is_successful (it covers the full 2xx range and is more readable).

In context — partial-content trick for SQL dump probing:

{{ example: api/information_disclosure/exposed-sql-dumps.yaml }}

in¶

Type : List[integer]

Condition is in this list of integers (exact match)

is¶

Type : integer

Condition is this exact integer

is_not¶

Type : integer

Condition is not this exact integer

lt¶

Type : integer

Condition is less than this integer

ScanTypeDetector¶

if¶

Type : Const[scan.type]*

Match against the type of scan being performed.

Matcher Type: ScanTypeMatcher · Operators: is, is_not, in · Valid values: REST, GRAPHQL

detect:
  - if: scan.type
    is: REST

# OR
detect:
  - if: scan.type
    in: [REST, GRAPHQL]

in¶

Type : List[CustomRuleScanType]

The scan type is in this list

is¶

Type : CustomRuleScanType

The scan type is exactly this

is_not¶

Type : CustomRuleScanType

The scan type is not this type

SchemaNeedAuthenticationDetector¶

if¶

Type : Const[schema.need_authentication]*

Use this to select whether or not the schema requires authentication.

Example¶

detect:
  - if: schema.need_authentication
    is: false

is¶

Type : boolean

Condition is true

is_not¶

Type : boolean

Condition is false

SchemaPathRefDetector¶

contains¶

Type : string

Contains this substring (case-insensitive)

if¶

Type : Const[schema.path_ref]*

Match the operation name (GraphQL) or the path (REST) of the request.

Matcher type: StringMatcher · Operators: is, is_not, contains, regex, in

detect:
  - if: schema.path_ref
    contains: /admin/

# Or regex over a versioned path:
detect:
  - if: schema.path_ref
    regex: /api/v[0-9]+/admin/.*

In context — anonymous admin route detection:

{{ example: api/access_control/public-admin-route.yaml }}

in¶

Type : List[string]

Condition is in this list (case-insensitive)

is¶

Type : string

Condition is this string (case-insensitive)

is_not¶

Type : string

Condition is not this string (case-insensitive)

regex¶

Type : string

Condition is matched on this regex with fullmatch (case-insensitive)

use_extraction¶

Type : boolean

If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.

SchemaUrlDetector¶

contains¶

Type : string

Contains this substring (case-insensitive)

if¶

Type : Const[schema.url]*

Use this to string compare the URL of the request.

Example¶

detect:
  - if: schema.url
    regex: .*(internal|private).*

in¶

Type : List[string]

Condition is in this list (case-insensitive)

is¶

Type : string

Condition is this string (case-insensitive)

is_not¶

Type : string

Condition is not this string (case-insensitive)

regex¶

Type : string

Condition is matched on this regex with fullmatch (case-insensitive)

use_extraction¶

Type : boolean

If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.

StringMatcher¶

contains¶

Type : string

Contains this substring (case-insensitive)

in¶

Type : List[string]

Condition is in this list (case-insensitive)

is¶

Type : string

Condition is this string (case-insensitive)

is_not¶

Type : string

Condition is not this string (case-insensitive)

regex¶

Type : string

Condition is matched on this regex with fullmatch (case-insensitive)

use_extraction¶

Type : boolean

If True, variable references between {{ }} will be replace with the extracted value (If exists). The string representation of the variable will be used without any extra-processing.

VariableDefinedDetector¶

if¶

Type : Const[variable.defined]*

Use this to detect if a given variable has been extracted or not yet.

Basic Example¶

detect:
  - if: variable.defined
    variable_name: user_id

Common Use Cases¶

• Making sure a variable has been already extracted before executing a mutation, a detector or another extraction.

variable_name¶

Type : string*

Use this to specify the variable name that has to be defined before proceeding further

Enums¶

CRUD¶

CustomRuleScanType¶

HTTPMethod¶

OBJECT_TYPE¶