Testing how-tos
How to Test for IDOR (Broken Object Level Authorization)
IDOR - known as Broken Object Level Authorization (BOLA) in API contexts - is among the most common and impactful access-control flaws. This guide walks through a reliable, safe methodology for testing every object-referencing endpoint using two accounts and confirming whether the server enforces per-object authorization.
Steps
- 1
Map every object reference
Enumerate endpoints that reference objects by ID, filename, key, or slug in the URL, body, headers, or query string. These are your candidate IDOR points.
- 2
Create two separate accounts
Provision two low-privilege accounts (User A and User B) in different tenants where possible. You will use one to create objects and the other to attempt access.
- 3
Capture a legitimate request
As User A, perform a normal action against one of A's own objects and capture the exact request, including the object identifier.
- 4
Replay with the other identity
Replay A's request using User B's session/token, keeping A's object identifier. If B receives A's data or can modify it, object-level authorization is missing.
- 5
Test all methods and variants
Repeat for GET, POST, PUT, PATCH, and DELETE, and for nested and indirect references. Access control often varies by method.
- 6
Confirm impact safely
Demonstrate the issue with a reproducible, non-destructive proof - reading a record you shouldn't, not deleting one. Document the request/response pair.
Key takeaways
- IDOR is a missing per-object authorization check, not a guessable-ID problem.
- Two accounts across tenants are the fastest way to prove it.
- Test every HTTP method - controls often differ by verb.
FAQ
Can IDOR be found by automated tools?
Partially. Tools can flag candidate endpoints, but confirming IDOR requires understanding object ownership across accounts. Autonomous testing that reasons about auth roles and replays cross-account requests is far more reliable than signature scanning.
Related
Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.
Join the waitlist