Skip to main content

Configure API authorization for access control testing

To effectively test for access control vulnerabilities like BOLA, IDOR, and BFLA, you need to configure multiple sets of API authorization credentials in Invicti Platform. This enables multi-session scanning that can detect both horizontal and vertical access control issues.

This document provides step-by-step instructions for setting up authorization credentials and best practices for comprehensive access control testing.

Prerequisites

Before configuring API authorization, ensure you have:

  • APIs added to your API catalog
  • Test user accounts created in your application with appropriate privilege levels
  • Access to the authentication credentials for these test accounts

Supported authorization methods

Invicti Platform supports multiple authorization methods for API access control testing. When configuring credentials for your API scans, you can choose from the following authentication types:

API key authentication

Provide the key-value pair required by your API. This method is commonly used for APIs that require an API key in headers or query parameters.

Example configuration:

  • Key: X-API-Key
  • Value: abc123def456ghi789

Basic authentication

Provide a username and password combination that gets encoded in Base64 and sent in the Authorization header.

Example configuration:

  • Username: testuser@company.com
  • Password: SecurePassword123

Bearer token authentication

Provide a bearer token (such as JWT tokens) that gets sent in the Authorization header with the "Bearer" prefix.

Example configuration:

  • Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

OAuth 2.0 support

For APIs using OAuth 2.0 flows, you can provide the resulting access tokens as bearer tokens after completing the OAuth flow outside of Invicti.

Choosing the right method

Select the authorization method that matches your API's authentication requirements. If your API supports multiple methods, choose the one that provides the most comprehensive access to test endpoints.

Credential configuration for comprehensive testing

To test for both horizontal and vertical access control issues, configure your API scan with three sets of credentials:

  • User A (low privilege) - Regular user account
  • User B (low privilege) - Another regular user account at the same privilege level
  • Admin A (high privilege) - Administrative or privileged user account

With this configuration, Invicti:

  • Uses User A and User B credentials to test for horizontal access control issues
  • Uses User A and Admin A credentials to test for vertical access control issues

Step-by-step configuration process

Follow these steps to configure multiple authorization credentials for access control testing:

  1. Navigate to the API catalog

    • Select Inventory > API catalog from the left-side menu
    • Locate your target API in the list

  2. Add authorization credentials

    • Click the three-dot menu (⋮) next to your API
    • Select Add authorization from the dropdown menu

  3. Configure user credentials In the authorization dialog that opens:

    • Name: Enter a descriptive label - for example "Regular user A," "Regular user B," "Admin user."
    • Authorization type: Choose the appropriate method for your API
    • Credentials: Enter the authentication details for each user

  4. Set up multiple users

    • Add at least two users with the same privilege level (for horizontal testing)
    • Add one user with elevated privileges (for vertical testing)
    • Only one user can be set as the default

  5. Save and verify

    • Click Save credentials to complete the setup
    • Verify that a key icon appears next to your API in the catalog

User account requirements

When creating test accounts for access control testing, ensure:

For regular users (User A and User B):

  • Both accounts have identical permission levels
  • Each user has access to their own data/resources
  • Users can't access each other's data in a properly secured system
  • Both users can perform the same operations (read, write, delete) on their own resources

For admin user (Admin A):

  • Has elevated privileges compared to regular users
  • Can access administrative functions or privileged data
  • May have permissions to view/modify other users' data
  • Can perform operations that regular users can't

Example user setup for an e-commerce API:

Alternative configuration

If providing three sets of credentials isn't feasible, you can use two sets of credentials (one low-privilege user and one admin). However, this approach requires running two separate scans:

  • One scan to test for horizontal access control issues (using two low-privilege accounts)
  • Another scan to test for vertical access control issues (using one low-privilege and one high-privilege account)

Best practices for credential setup

To ensure effective access control testing with Invicti Platform, follow these best practices:

Account setup best practices

  • Use realistic test data: Configure test accounts with realistic user data to better simulate real-world scenarios
  • Maintain credential separation: Ensure test accounts are completely separate and don't share any identifiers or tokens
  • Test account isolation: Verify that your test accounts truly have the intended privilege levels before running scans
  • Regular credential rotation: Update test credentials regularly to ensure they remain valid throughout testing

Testing coverage recommendations

  • Test all user roles: Include credentials for every user role type in your application (customer, employee, manager, admin, etc.)
  • Cover different data types: Ensure test users have access to different types of sensitive data (personal info, financial data, system configs)
  • Include edge cases: Test boundary conditions such as newly created accounts or accounts with mixed permissions

Scan configuration tips

  • Run separate scans when needed: If providing three credential sets isn't feasible, run dedicated horizontal and vertical access control scans
  • Monitor scan coverage: Review scan results to ensure all critical endpoints were tested with multiple user sessions
  • Schedule regular testing: Run access control scans regularly, especially after application updates or user role changes

Validating your setup

Before running production scans, validate that your access control testing configuration is working correctly:

Pre-scan validation checklist

  • Test credentials manually: Verify each set of credentials works by making manual API calls
  • Confirm privilege separation: Ensure regular users cannot access admin resources manually
  • Verify cross-user restrictions: Confirm that User A cannot access User B's data through normal application usage
  • Test endpoint coverage: Ensure your API has endpoints that would be vulnerable to access control issues (endpoints with object IDs, user-specific data, admin functions)

Minimum testing requirements

For effective access control vulnerability detection, ensure your setup meets these minimum requirements:

Essential components:

  • At least 2 user accounts (preferably 3 for comprehensive testing)
  • User accounts with different privilege levels (regular users + admin)
  • APIs with user-specific data and identifiable object references
  • Test data associated with each user account

Recommended components:

  • Multiple data types per user (profile, orders, documents, etc.)
  • Admin-only endpoints and functions
  • APIs that modify or delete data
  • Mix of resource types (individual records, collections, system settings)

Testing effectiveness indicators

A successful access control testing setup should result in:

  • Scan logs showing multiple authenticated sessions
  • Detection of endpoints with object identifiers (IDs, GUIDs, usernames)
  • Coverage of both read and write operations
  • Testing of both horizontal and vertical access scenarios
Validation tip

After running your first access control scan, review the scan logs to confirm that Invicti successfully authenticated as multiple users and tested cross-session access to various endpoints. If you see limited cross-session testing, review your credential configuration and endpoint coverage.

Next steps

Once you've configured your API authorization credentials, you're ready to:

  1. Run access control scans: Learn how to scan and troubleshoot API access control issues
  2. Understand the vulnerabilities: Review understanding API access control vulnerabilities
  3. See the complete guide: Visit the API access control testing overview

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?