Skip to main content

Scan and troubleshoot API access control issues

Once you've configured multiple API authorization credentials, Invicti Platform uses multi-session scanning to detect access control vulnerabilities. This document explains how the scanning process works, how to interpret results, and how to troubleshoot common issues.

Prerequisites

Before running access control vulnerability scans, ensure you have:

How Invicti tests for access control vulnerabilities

Invicti Platform uses multi-session scanning to detect both horizontal and vertical access control vulnerabilities. This approach simulates how different users with varying privilege levels interact with your API.

During the scan, Invicti Platform maintains multiple authenticated sessions and performs the following tests:

Horizontal BOLA detection

Invicti identifies API endpoints that contain parameters like /api/user/{id} or /api/user/{guid}. When such endpoints return sensitive information (such as email, name, or address) for one user, Invicti attempts to access the same resource using a different user's session at the same privilege level.

If the second user can access the first user's data, Invicti reports a potential horizontal BOLA vulnerability.

Vertical BOLA detection

Similar to horizontal BOLA testing, Invicti identifies privileged resources accessed by an admin user and then attempts to access the same resources using a low-privilege user session.

If the low-privilege user can access admin-level data, Invicti reports a potential vertical BOLA vulnerability.

Horizontal BFLA detection

Invicti monitors API operations that modify data (POST, PUT, DELETE requests). When such operations succeed for one user, Invicti attempts to perform the same operation using a different user's session at the same privilege level, targeting the first user's resources.

If the second user can modify the first user's data, Invicti reports a potential horizontal BFLA vulnerability.

Vertical BFLA detection

Invicti identifies privileged operations performed by admin users and attempts to execute the same operations using a low-privilege user session.

If the low-privilege user can execute admin-level operations, Invicti reports a potential vertical BFLA vulnerability.

Unauthenticated access detection

Invicti also tests whether sensitive operations can be performed without any authentication:

  • Publicly accessible write operations: Tests if API endpoints that modify data (POST, PUT, DELETE) can be executed without authentication
  • GraphQL unauthenticated mutations: Tests if GraphQL mutation operations can be performed without authentication
  • API sensitive information exposure: Tests if API endpoints leak sensitive information (PII) when accessed without authentication

Understanding scan results

When Invicti identifies access control issues during a scan, it reports them as vulnerabilities in your scan results. Each finding includes:

  • The vulnerable endpoint
  • The type of access control issue (horizontal/vertical BOLA or BFLA)
  • Proof-of-concept request and response data
  • Recommended remediation steps

Review these findings in the Vulnerabilities section to understand the security risks and take appropriate action to fix the identified issues.

Interpreting vulnerability severity

Access control vulnerabilities are typically rated as high or critical severity because they can lead to:

  • Data breaches: Unauthorized access to sensitive user data
  • Privacy violations: Exposure of personal or confidential information
  • Privilege escalation: Regular users gaining administrative access
  • Data manipulation: Unauthorized modification or deletion of data

Common vulnerability patterns

Look for these patterns in your scan results:

Predictable object references:

  • Endpoints with sequential IDs that can be enumerated
  • GUIDs or tokens that follow predictable patterns
  • User identifiers exposed in URLs or responses

Missing authorization checks:

  • Endpoints that authenticate but don't authorize specific resource access
  • Administrative functions accessible to regular users
  • Write operations that don't verify ownership

Best practices for ongoing testing

To maintain effective access control testing with Invicti Platform, follow these operational best practices:

Regular testing schedule

  • After code deployments: Run access control scans after any API changes
  • User role updates: Test when new user roles or permissions are added
  • Periodic reviews: Schedule regular scans to catch newly introduced issues
  • Security assessments: Include access control testing in security reviews

Monitoring and maintenance

  • Track scan coverage: Ensure all critical endpoints are being tested
  • Update test credentials: Refresh authentication tokens and passwords regularly
  • Review new endpoints: Test access control on newly added API endpoints
  • Monitor false positives: Track and refine findings to reduce noise

Troubleshooting common issues

If you encounter problems with access control testing, consider these common solutions:

Credentials not working

Problem: Invicti reports authentication failures during the scan.

Solutions:

  • Verify credentials are correct by testing them manually against your API
  • Check if tokens have expired and need refreshing
  • Ensure the authorization method matches your API's requirements
  • Confirm that test accounts haven't been disabled or locked

Limited vulnerability detection

Problem: fewer access control vulnerabilities detected than expected.

Solutions:

  • Verify that test users actually have different privilege levels
  • Check that your API endpoints return meaningful data for the authenticated users
  • Ensure test accounts have sufficient data/resources associated with them
  • Review that endpoints contain parameters that could indicate object references (IDs, GUIDs)

False positive results

Problem: Invicti reports access control issues that aren't actually vulnerabilities.

Solutions:

  • Review the specific endpoints and data involved in the findings
  • Verify whether the accessed data is truly sensitive or restricted
  • Check if the application intentionally allows certain cross-user access patterns
  • Consider if public or shared resources are being flagged incorrectly

Session management issues

Problem: inconsistent results across multiple scan runs.

Solutions:

  • Check if your API has session timeout or rate limiting that affects scans
  • Verify that authentication tokens remain valid for the duration of the scan
  • Ensure test accounts aren't being used simultaneously elsewhere
  • Consider if your API has anti-automation measures that need to be addressed

Performance and coverage issues

Problem: scans are slow or missing critical endpoints.

Solutions:

  • Review scan scope to ensure all important endpoints are included
  • Check if rate limiting is affecting scan performance
  • Verify that authentication is working correctly for all configured users
  • Consider splitting large APIs into multiple targeted scans

Token and session expiration

Problem: authentication sessions expire during long scans.

Solutions:

  • Use longer-lived tokens when possible
  • Implement token refresh mechanisms if supported by your API
  • Schedule shorter, more frequent scans
  • Monitor scan logs for authentication renewal patterns

Optimizing scan effectiveness

To get the most value from your access control testing:

Endpoint coverage

  • Identify critical paths: focus on endpoints that handle sensitive data.
  • Test CRUD operations: ensure create, read, update, delete operations are tested.
  • Include admin endpoints: make sure privileged functions are in scope.
  • Test edge cases: include unusual or less common API endpoints.

Data quality

  • Use realistic test data: populate test accounts with representative data.
  • Create data relationships: ensure users have interconnected data for testing.
  • Include sensitive information: test with data that should be protected.
  • Maintain data freshness: keep test data current and relevant.

Next steps

After running your access control scans:

  1. Review and prioritize vulnerabilities: Focus on high-severity access control issues first
  2. Implement fixes: Work with development teams to resolve identified issues
  3. Retest after fixes: Run follow-up scans to verify vulnerabilities are resolved
  4. Document lessons learned: Update your testing approach based on findings

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?