api-authorization-and-bola

Original：🇺🇸 English

Translated

API authorization and BOLA testing playbook. Use when APIs expose object identifiers, nested resources, hidden writable fields, or weak function-level authorization.

2installs

Sourceyaklang/hack-skills

Added on2026-04-09

NPX Install

npx skill4agent add yaklang/hack-skills api-authorization-and-bola

SKILL.md Content

View Translation Comparison →

SKILL: API Authorization and BOLA — Object Access, Function Access, and Mass Assignment

AI LOAD INSTRUCTION: Use this skill when an API exposes object IDs, nested resources, or role-sensitive functions and you need a focused authorization test path: BOLA, BFLA, method abuse, and hidden field control.

1. CORE TEST LOOP

Create Account A and Account B.
As Account A, capture create, read, update, and delete flows.
Replay with Account B's token.
Test sibling endpoints, nested endpoints, and alternate HTTP verbs.

2. TEST SURFACES

Surface	Example
object read	`/api/v1/orders/123`
nested object	`/api/v1/users/1/invoices/9`
admin or internal function	`/api/v1/admin/users`
update path	`PUT` , `PATCH` , `DELETE` variants
hidden JSON fields	`role` , `org` , `verified` , `tier`

3. QUICK PAYLOADS

json

{"role":"admin"}
{"isAdmin":true}
{"org":"target-company"}
{"verified":true}

4. WHAT TESTERS MISS

object IDs in headers, cookies, GraphQL args, and nested objects
alternate methods sharing the same route but weaker authz
parent check present, child resource check missing
admin docs revealing extra writable fields

5. NEXT ROUTING

For JWT or token-layer abuse: api auth and jwt abuse
For GraphQL and hidden parameter discovery: graphql and hidden parameters
For broader IDOR patterns outside APIs: idor broken object authorization