PluginBench
Skill
Review
Audit score 70

api-authorization-and-bola

yaklang/hack-skills

How to install api-authorization-and-bola

npx skills add https://github.com/yaklang/hack-skills --skill api-authorization-and-bola
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from yaklang/hack-skills.


name: api-authorization-and-bola description: >- API authorization and BOLA testing playbook. Use when APIs expose object identifiers, nested resources, hidden writable fields, or weak function-level authorization.

SKILL: API Authorization and BOLA — Object Access, Function Access, and Mass Assignment

AI LOAD INSTRUCTION: Use this skill when an API exposes object IDs, nested resources, or role-sensitive functions and you need a focused authorization test path: BOLA, BFLA, method abuse, and hidden field control.

1. CORE TEST LOOP

  1. Create Account A and Account B.
  2. As Account A, capture create, read, update, and delete flows.
  3. Replay with Account B's token.
  4. Test sibling endpoints, nested endpoints, and alternate HTTP verbs.

2. TEST SURFACES

SurfaceExample
object read/api/v1/orders/123
nested object/api/v1/users/1/invoices/9
admin or internal function/api/v1/admin/users
update pathPUT, PATCH, DELETE variants
hidden JSON fieldsrole, org, verified, tier

3. QUICK PAYLOADS

{"role":"admin"}
{"isAdmin":true}
{"org":"target-company"}
{"verified":true}

4. WHAT TESTERS MISS

  • object IDs in headers, cookies, GraphQL args, and nested objects
  • alternate methods sharing the same route but weaker authz
  • parent check present, child resource check missing
  • admin docs revealing extra writable fields

5. NEXT ROUTING