SKILL: API Authorization and BOLA — Object Access, Function Access, and Mass Assignment

AI LOAD INSTRUCTION: Use this skill when an API exposes object IDs, nested resources, or role-sensitive functions and you need a focused authorization test path: BOLA, BFLA, method abuse, and hidden field control.

1. CORE TEST LOOP

• Create Account A and Account B.

• As Account A, capture create, read, update, and delete flows.

• Replay with Account B's token.

• Test sibling endpoints, nested endpoints, and alternate HTTP verbs.

2. TEST SURFACES

Surface

Example

object read

/api/v1/orders/123

nested object

/api/v1/users/1/invoices/9

admin or internal function

/api/v1/admin/users

update path

PUT, PATCH, DELETE variants

hidden JSON fields

role, org, verified, tier

3. QUICK PAYLOADS

{"role":"admin"}

{"isAdmin":true}

{"org":"target-company"}

{"verified":true}

4. WHAT TESTERS MISS

• object IDs in headers, cookies, GraphQL args, and nested objects

• alternate methods sharing the same route but weaker authz

• parent check present, child resource check missing

• admin docs revealing extra writable fields

5. NEXT ROUTING

• For JWT or token-layer abuse: api auth and jwt abuse

• For GraphQL and hidden parameter discovery: graphql and hidden parameters

• For broader IDOR patterns outside APIs: idor broken object authorization