Api Authorization And Bola
Run a focused API authorization playbook covering BOLA, BFLA, method abuse, and mass assignment before you ship object-heavy endpoints.
Overview
API Authorization and BOLA is an agent skill for the Ship phase that walks testers through object-level, function-level, and mass-assignment API authorization checks.
Install
npx skills add https://github.com/yaklang/hack-skills --skill api-authorization-and-bolaWhat is this skill?
- 4-step core test loop with Account A/B replay across CRUD flows
- Surfaces table: object read, nested resources, admin functions, verb variants, hidden JSON fields
- Quick mass-assignment payloads for role, isAdmin, org, and verified toggles
- Calls out missed vectors: headers, cookies, GraphQL args, and parent-only authz checks
- Routes to companion API auth skills for JWT and token-layer abuse
- 4-step core authorization test loop
- 5 authorization test surfaces in the playbook table
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your API returns 200 for the happy path but you have not proven another user cannot read or mutate someone else’s objects via ID tampering or hidden fields.
Who is it for?
Builders shipping multi-tenant or object-ID-driven APIs who can stand up two test accounts and capture traffic.
Skip if: Static marketing sites with no authenticated API surface, or teams without permission to run authorized security testing in their environment.
When should I use this skill?
APIs expose object identifiers, nested resources, hidden writable fields, or weak function-level authorization.
What do I get? / Deliverables
You finish with a repeatable A/B authorization replay plan and prioritized retests on nested routes, admin functions, and mass-assignment bodies.
- Account A/B replay checklist
- Nested and admin endpoint retest list
- Mass-assignment payload trials documented
Recommended Skills
Journey fit
How it compares
Focused authorization playbook, not a full OWASP scan suite or infrastructure pentest.
Common Questions / FAQ
Who is api-authorization-and-bola for?
Indie backend owners and agent-assisted QA who need BOLA/BFLA coverage on object identifiers, nested resources, and privileged routes.
When should I use api-authorization-and-bola?
In Ship security before release whenever endpoints expose numeric or UUID object IDs, nested collections, or admin-only functions.
Is api-authorization-and-bola safe to install?
The skill describes offensive testing you must run only on systems you own or are authorized to test; review the Security Audits panel on this Prism page before install.
SKILL.md
READMESKILL.md - Api Authorization And Bola
# SKILL: API Authorization and BOLA — Object Access, Function Access, and Mass Assignment > **AI LOAD INSTRUCTION**: Use this skill when an API exposes object IDs, nested resources, or role-sensitive functions and you need a focused authorization test path: BOLA, BFLA, method abuse, and hidden field control. ## 1. CORE TEST LOOP 1. Create Account A and Account B. 2. As Account A, capture create, read, update, and delete flows. 3. Replay with Account B's token. 4. Test sibling endpoints, nested endpoints, and alternate HTTP verbs. ## 2. TEST SURFACES | Surface | Example | |---|---| | object read | `/api/v1/orders/123` | | nested object | `/api/v1/users/1/invoices/9` | | admin or internal function | `/api/v1/admin/users` | | update path | `PUT`, `PATCH`, `DELETE` variants | | hidden JSON fields | `role`, `org`, `verified`, `tier` | ## 3. QUICK PAYLOADS ```json {"role":"admin"} {"isAdmin":true} {"org":"target-company"} {"verified":true} ``` ## 4. WHAT TESTERS MISS - object IDs in headers, cookies, GraphQL args, and nested objects - alternate methods sharing the same route but weaker authz - parent check present, child resource check missing - admin docs revealing extra writable fields ## 5. NEXT ROUTING - For JWT or token-layer abuse: [api auth and jwt abuse](../api-auth-and-jwt-abuse/SKILL.md) - For GraphQL and hidden parameter discovery: [graphql and hidden parameters](../graphql-and-hidden-parameters/SKILL.md) - For broader IDOR patterns outside APIs: [idor broken object authorization](../idor-broken-object-authorization/SKILL.md)