testing-api-for-broken-object-level-authorization

Installation
SKILL.md

Testing API for Broken Object Level Authorization

When to Use

  • Assessing REST or GraphQL APIs that use object identifiers in URL paths, query parameters, or request bodies
  • Performing OWASP API Security Top 10 assessments where API1:2023 (BOLA) must be tested
  • Testing multi-tenant SaaS applications where users from different tenants should not access each other's data
  • Validating that API endpoints enforce per-object authorization checks beyond just authentication
  • Evaluating APIs after new endpoints are added to ensure authorization middleware is applied consistently

Do not use without written authorization from the API owner. BOLA testing involves accessing or attempting to access other users' data, which requires explicit permission.

Prerequisites

Installs
229
GitHub Stars
24.7K
First Seen
Mar 15, 2026
testing-api-for-broken-object-level-authorization — mukul975/anthropic-cybersecurity-skills