Scan API access control vulnerabilities

Access control vulnerabilities pose significant security risks in APIs, allowing unauthorized users to access, modify, or delete data that should be restricted. Invicti Platform automatically detects vulnerabilities such as Insecure Direct Object Reference (IDOR), Broken Object Level Authorization (BOLA), and Broken Function Level Authorization (BFLA) during API scans.

This document explains what access control vulnerabilities are, how they differ (horizontal vs. vertical), and how Invicti Platform tests for them using multi-session scanning.

Prerequisites

Before testing for access control vulnerabilities, ensure you have:

APIs added to your API catalog
Multiple sets of API authorization credentials configured (see Credential configuration section below)
A target configured to scan your API

Understanding access control vulnerabilities

Access control vulnerabilities occur when an application fails to properly verify that a user has permission to access a resource or perform an action. These vulnerabilities fall into three main categories:

BOLA (Broken Object Level Authorization)

Broken Object Level Authorization is a security vulnerability where users can access objects they are not authorized to view, modify, or delete. This occurs when an API fails to verify that the authenticated user has permission to access the specific object being requested.

For example, if a user can view another user's profile or account details by simply changing an ID in the URL, this is a BOLA vulnerability.

IDOR (Insecure Direct Object References)

Insecure Direct Object References are a specific type of BOLA vulnerability. IDOR occurs when an application exposes a reference to an internal implementation object (such as a file, directory, database record, or key) in a way that allows attackers to manipulate these references.

IDOR and BOLA are often used interchangeably, as IDOR issues are essentially a subset of BOLA vulnerabilities.

BFLA (Broken Function Level Authorization)

Broken Function Level Authorization is a vulnerability where users can access application functions or API endpoints that should be restricted to higher privilege levels. This occurs when the application fails to properly enforce authorization checks on sensitive operations.

For example, if a regular user can access administrative functions or execute privileged operations without proper authorization, this is a BFLA vulnerability.

Horizontal vs. vertical access control

Access control vulnerabilities are categorized into two types based on how privilege boundaries are crossed:

Horizontal access control issues

Horizontal access control issues occur when a user can access resources or perform actions that should only be available to other users at the same privilege level.

Example: User A can view or modify data belonging to User B, even though both users have the same level of access (for example, both are regular customers).

Vertical access control issues

Vertical access control issues occur when a user can access resources or perform actions that should only be available to users at a higher privilege level.

Example: A regular user can access administrative functions or view sensitive data that should be restricted to administrators.

How Invicti tests for access control vulnerabilities

Invicti Platform uses multi-session scanning to detect both horizontal and vertical access control vulnerabilities. This approach simulates how different users with varying privilege levels interact with your API.

Credential configuration for comprehensive testing

To test for both horizontal and vertical access control issues, configure your API scan with three sets of credentials:

User A (low privilege)
User B (low privilege)
Admin A (high privilege)

With this configuration, Invicti:

Uses User A and User B credentials to test for horizontal access control issues
Uses User A and Admin A credentials to test for vertical access control issues

Alternative configuration

If providing three sets of credentials is not feasible, you can use two sets of credentials (one low-privilege user and one admin). However, this approach requires running two separate scans:

One scan to test for horizontal access control issues (using two low-privilege accounts)
Another scan to test for vertical access control issues (using one low-privilege and one high-privilege account)

What Invicti scans for

During the scan, Invicti Platform maintains multiple authenticated sessions and performs the following tests:

Horizontal BOLA detection

Invicti identifies API endpoints that contain parameters like /api/user/{id} or /api/user/{guid}. When such endpoints return sensitive information (such as email, name, or address) for one user, Invicti attempts to access the same resource using a different user's session at the same privilege level.

If the second user can access the first user's data, Invicti reports a potential horizontal BOLA vulnerability.

Vertical BOLA detection

Similar to horizontal BOLA testing, Invicti identifies privileged resources accessed by an admin user and then attempts to access the same resources using a low-privilege user session.

If the low-privilege user can access admin-level data, Invicti reports a potential vertical BOLA vulnerability.

Horizontal BFLA detection

Invicti monitors API operations that modify data (POST, PUT, DELETE requests). When such operations succeed for one user, Invicti attempts to perform the same operation using a different user's session at the same privilege level, targeting the first user's resources.

If the second user can modify the first user's data, Invicti reports a potential horizontal BFLA vulnerability.

Vertical BFLA detection

Invicti identifies privileged operations performed by admin users and attempts to execute the same operations using a low-privilege user session.

If the low-privilege user can execute admin-level operations, Invicti reports a potential vertical BFLA vulnerability.

Unauthenticated access detection

Invicti also tests whether sensitive operations can be performed without any authentication:

Publicly accessible write operations: Tests if API endpoints that modify data (POST, PUT, DELETE) can be executed without authentication
GraphQL unauthenticated mutations: Tests if GraphQL mutation operations can be performed without authentication
API sensitive information exposure: Tests if API endpoints leak sensitive information (PII) when accessed without authentication

Detected vulnerabilities

When Invicti identifies access control issues during a scan, it reports them as vulnerabilities in your scan results. Each finding includes:

The vulnerable endpoint
The type of access control issue (horizontal/vertical BOLA or BFLA)
Proof-of-concept request and response data
Recommended remediation steps

Review these findings in the Vulnerabilities section to understand the security risks and take appropriate action to fix the identified issues.

Add, edit or delete API authorization - Configure multiple sets of credentials for access control testing
API catalog overview - Manage your API inventory
Scan REST APIs - General information about scanning REST APIs
Vulnerabilities overview - View and manage detected vulnerabilities

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Understanding access control vulnerabilities​

BOLA (Broken Object Level Authorization)​

IDOR (Insecure Direct Object References)​

BFLA (Broken Function Level Authorization)​

Horizontal vs. vertical access control​

Horizontal access control issues​

Vertical access control issues​

How Invicti tests for access control vulnerabilities​

Credential configuration for comprehensive testing​

What Invicti scans for​

Horizontal BOLA detection​

Vertical BOLA detection​

Horizontal BFLA detection​

Vertical BFLA detection​

Unauthenticated access detection​

Detected vulnerabilities​

Related topics​

Need help?​