Skip to content

Latest commit

 

History

History
22 lines (18 loc) · 3.36 KB

File metadata and controls

22 lines (18 loc) · 3.36 KB

8. Authorization (Deep)

12 modules.

Module Description
bopla-check Tests for Broken Object Property Level Authorization (BOPLA/OWASP API3). Sends PUT and PATCH requests with privileged fields (role, isAdmin, is_admin) and checks whether the server accepts and reflects them in the response.
bfla-check Tests for Broken Function Level Authorization (BFLA/OWASP API5). Probes admin and management endpoint paths (/admin, /api/admin, /management, /internal, /api/internal, /admin/users, /api/management) without auth headers and reports HTTP 200/201 responses. Also tests POST on accessible GET paths.
graphql-field-auth Tests GraphQL field-level authorization by sending an introspection query followed by direct queries for sensitive field names (password, secret, token, ssn, creditCard, privateKey, apiKey). Reports if sensitive fields are returned in schema or query responses without authentication.
bulk-endpoint-auth Tests bulk and batch API endpoints for missing authorization controls. Probes /api/users/bulk, /api/batch, /api/export, /api/data/export, /api/v1/bulk, /api/v2/bulk without authentication and reports 200 responses.
nested-object-auth Tests nested object authorization by appending cross-user ID combinations (/1/items/2, /2/items/1, /100/items/999) to the target URL and checking whether HTTP 200 responses with data indicate cross-user access.
file-auth-check Tests file access endpoints for missing authorization controls. Probes /api/files/1, /api/files/2, /download?file=1, /attachments/1, /download/1 without authentication and reports HTTP 200 responses with content.
search-filter-auth Tests search and filter endpoint authorization by appending privilege-escalating parameters (filter[role]=admin, role=admin, scope=all, includeDeleted=true, admin=true) to /api/search and /api/users. Reports 200 responses containing 'admin' or large datasets.
export-auth-check Tests data export endpoints for missing authorization controls. Probes /api/export, /api/reports/export, /api/data.csv, /api/dump.json, /export, /api/v1/export without authentication and reports HTTP 200 responses.
soft-delete-auth Tests whether soft-deleted records are accessible via query parameters (includeDeleted=true, showDeleted=1, archived=true, status=deleted, deleted=1). Reports HTTP 200 responses with non-trivial bodies (>50 bytes).
bac-check Probes for Broken Access Control (BAC) including IDOR via object ID manipulation, horizontal privilege escalation (accessing other users' resources), vertical privilege escalation (accessing admin/privileged endpoints), and authentication bypass on protected paths.
idor-check Detects IDOR vulnerabilities by testing 25+ REST resource endpoint patterns with sequential ID substitution (1 to 10 plus large IDs). Compares HTTP status codes and response sizes across different IDs to identify unauthorized data access. Also tests for parameter-based IDOR in existing URL query parameters. Checks object type: user, order, invoice, payment, profile, admin, account.
mass-assignment-check Probes API endpoints for mass assignment vulnerabilities by injecting privileged fields (is_admin, role, permissions, account_type) into POST/PUT/PATCH request bodies and checking for acceptance. Also tests HTTP Parameter Pollution.

Part of the NOX Module Reference guide.