Anthropic-Cybersecurity-Skills/skills/testing-api-for-broken-object-level-authorization/references/api-reference.md

API Reference: Testing API for Broken Object Level Authorization

BOLA Test Types

Test	Method	Severity
Horizontal read	GET victim's resource with attacker token	High
Horizontal write	PATCH/PUT victim's resource	Critical
Horizontal delete	DELETE victim's resource	Critical
ID enumeration	Sequential/predictable ID access	High
Method bypass	Different HTTP methods on same resource	High
Batch request	Include victim IDs in batch endpoint	High
Nested resource	Access child via parent swap	High

Object ID Types

Type	Example	Predictability
Sequential integer	/orders/1042	High
UUID v4	/orders/550e8400-...	Low
Encoded/base64	/orders/MTAwMg==	Medium
Composite	/users/42/orders/1042	High
Slug	/profiles/john-doe	Medium

OWASP API1:2023 Checks

Check	Description
Per-object authorization	Every object access checks ownership
Data-layer enforcement	WHERE user_id = authenticated_user.id
Rate limiting	Slow enumeration attempts
UUID over sequential	Reduce predictability
Batch endpoint auth	Validate all IDs in arrays

Automated Tools

Tool	Purpose
Autorize (Burp)	Automated BOLA detection
OWASP ZAP Access Control	Authorization boundary testing
ffuf	ID enumeration at scale
Postman	Manual BOLA testing

Python Libraries

Library	Version	Purpose
requests	>=2.28	HTTP API calls
json	stdlib	Response parsing

References

• OWASP API Security: https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/
• Autorize: https://github.com/Quitten/Autorize