Skip to content

Access Control: Broken Object Level Authorization

Identifier: bola

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

Broken Object Level Authorization occurs when applications allow users to access objects by changing identifiers without verifying ownership, potentially allowing attackers to access or modify other users' data.

How we test: We test access controls by modifying object identifiers in requests and analyzing responses to detect if unauthorized access is possible. We check if the application properly validates that users can only access objects they own or are authorized to view.

Prerequisites:

  • The scan must include authenticated traffic with readable object identifiers.
  • Deeper IDOR analysis requires at least two configured users and enough application activity to compare access across accounts.

Configuration

Example

Example configuration:

---
security_tests:
  bola:
    do_not_fuzz: []
    skip: false

Reference

do_not_fuzz

Type : List[string]*

List of arguments to not fuzz for this security test.

skip

Type : boolean

Skip the test if true.