Skip to content

pipicodes/api-idor-authorization-lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
screenshots
screenshots
 
 
.DS_Store
.DS_Store
 
 
README.md
README.md
 
 
attack_demo.md
attack_demo.md
 
 
secure_api.py
secure_api.py
 
 
vulnerable_api.py
vulnerable_api.py
 
 

Repository files navigation

API IDOR Authorization Lab

This project demonstrates a Broken Object Level Authorization (BOLA/IDOR) vulnerability and how proper authorization checks prevent unauthorized access to API resources.

Project Scope

This lab includes:

  • a vulnerable API
  • a secure API
  • IDOR/BOLA attack demonstration
  • screenshots of the vulnerable and remediated behavior

Files

  • vulnerable_api.py — vulnerable implementation
  • secure_api.py — remediated implementation
  • attack_demo.md — attack summary and mitigation notes
  • screenshots/ — screenshots of test results

Vulnerability Demonstrated

Broken Object Level Authorization (BOLA / IDOR)

The vulnerable API allows access to any order by changing the object ID in the URL, without validating ownership.

How to Run

Vulnerable version

python3 -m uvicorn vulnerable_api:app --reload

Secure version

python3 -m uvicorn secure_api:app --reload --port 8001

Security Test Results

Vulnerable API – Unauthorized access via IDOR

IDOR Attack

Secure API – Attack blocked

Secure Validation

About

API security lab demonstrating Broken Object Level Authorization (IDOR/BOLA) and proper authorization enforcement.

Topics

python owasp authorization pentesting appsec security-testing api-security idor fastapi bola

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages