api-authorization-and-bola
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: API Authorization and BOLA — Object Access, Function Access, and Mass Assignment
SKILL: API授权与BOLA——对象访问、函数访问和批量赋值
AI LOAD INSTRUCTION: Use this skill when an API exposes object IDs, nested resources, or role-sensitive functions and you need a focused authorization test path: BOLA, BFLA, method abuse, and hidden field control.
AI加载说明:当API暴露对象ID、嵌套资源或角色敏感函数,且你需要针对性的授权测试路径(BOLA、BFLA、方法滥用、隐藏字段控制)时使用本技能。
1. CORE TEST LOOP
1. 核心测试循环
- Create Account A and Account B.
- As Account A, capture create, read, update, and delete flows.
- Replay with Account B's token.
- Test sibling endpoints, nested endpoints, and alternate HTTP verbs.
- 创建账户A和账户B。
- 以账户A身份捕获创建、读取、更新、删除全流程。
- 使用账户B的令牌重放上述请求。
- 测试同级端点、嵌套端点和其他备选HTTP谓词。
2. TEST SURFACES
2. 测试覆盖面
| Surface | Example |
|---|---|
| object read | |
| nested object | |
| admin or internal function | |
| update path | |
| hidden JSON fields | |
| 测试覆盖面 | 示例 |
|---|---|
| 对象读取 | |
| 嵌套对象 | |
| 管理员或内部功能 | |
| 更新路径 | |
| 隐藏JSON字段 | |
3. QUICK PAYLOADS
3. 快速Payload示例
json
{"role":"admin"}
{"isAdmin":true}
{"org":"target-company"}
{"verified":true}json
{"role":"admin"}
{"isAdmin":true}
{"org":"target-company"}
{"verified":true}4. WHAT TESTERS MISS
4. 测试人员易遗漏点
- object IDs in headers, cookies, GraphQL args, and nested objects
- alternate methods sharing the same route but weaker authz
- parent check present, child resource check missing
- admin docs revealing extra writable fields
- 存放在请求头、Cookie、GraphQL参数和嵌套对象中的对象ID
- 同一路由下授权规则更宽松的备选请求方法
- 仅做了父级资源权限校验,缺少子资源权限校验
- 管理员文档中泄露的额外可写字段
5. NEXT ROUTING
5. 后续相关技能跳转
- For JWT or token-layer abuse: api auth and jwt abuse
- For GraphQL and hidden parameter discovery: graphql and hidden parameters
- For broader IDOR patterns outside APIs: idor broken object authorization
- JWT或令牌层滥用相关:api auth and jwt abuse
- GraphQL和隐藏参数发现相关:graphql and hidden parameters
- API外更广泛的IDOR模式相关:idor broken object authorization