IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Guides
  3. How to Test for IDOR (Broken Object Level Authorization)

Testing how-tos

How to Test for IDOR (Broken Object Level Authorization)

IDOR - known as Broken Object Level Authorization (BOLA) in API contexts - is among the most common and impactful access-control flaws. This guide walks through a reliable, safe methodology for testing every object-referencing endpoint using two accounts and confirming whether the server enforces per-object authorization.

Steps

  1. 1

    Map every object reference

    Enumerate endpoints that reference objects by ID, filename, key, or slug in the URL, body, headers, or query string. These are your candidate IDOR points.

  2. 2

    Create two separate accounts

    Provision two low-privilege accounts (User A and User B) in different tenants where possible. You will use one to create objects and the other to attempt access.

  3. 3

    Capture a legitimate request

    As User A, perform a normal action against one of A's own objects and capture the exact request, including the object identifier.

  4. 4

    Replay with the other identity

    Replay A's request using User B's session/token, keeping A's object identifier. If B receives A's data or can modify it, object-level authorization is missing.

  5. 5

    Test all methods and variants

    Repeat for GET, POST, PUT, PATCH, and DELETE, and for nested and indirect references. Access control often varies by method.

  6. 6

    Confirm impact safely

    Demonstrate the issue with a reproducible, non-destructive proof - reading a record you shouldn't, not deleting one. Document the request/response pair.

Key takeaways

  • IDOR is a missing per-object authorization check, not a guessable-ID problem.
  • Two accounts across tenants are the fastest way to prove it.
  • Test every HTTP method - controls often differ by verb.

FAQ

Can IDOR be found by automated tools?

Partially. Tools can flag candidate endpoints, but confirming IDOR requires understanding object ownership across accounts. Autonomous testing that reasons about auth roles and replays cross-account requests is far more reliable than signature scanning.

Related

IDOR / BOLA explainedBroken Access ControlWhat is BOLA?

Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.

Join the waitlist
← All guides
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub