SKILL: API Authorization and BOLA — Object Access, Function Access, and Mass Assignment

AI LOAD INSTRUCTION

Use this skill when an API exposes object IDs, nested resources, or role-sensitive functions and you need a focused authorization test path: BOLA, BFLA, method abuse, and hidden field control. 1. CORE TEST LOOP Create Account A and Account B. As Account A, capture create, read, update, and delete flows. Replay with Account B's token. Test sibling endpoints, nested endpoints, and alternate HTTP verbs. 2. TEST SURFACES Surface Example object read /api/v1/orders/123 nested object /api/v1/users/1/invoices/9 admin or internal function /api/v1/admin/users update path PUT , PATCH , DELETE variants hidden JSON fields role , org , verified , tier 3. QUICK PAYLOADS { "role" : "admin" } { "isAdmin" : true } { "org" : "target-company" } { "verified" : true } 4. WHAT TESTERS MISS object IDs in headers, cookies, GraphQL args, and nested objects alternate methods sharing the same route but weaker authz parent check present, child resource check missing admin docs revealing extra writable fields 5. NEXT ROUTING For JWT or token-layer abuse: api auth and jwt abuse For GraphQL and hidden parameter discovery: graphql and hidden parameters For broader IDOR patterns outside APIs: idor broken object authorization