BOLA (Broken Object Level Authorization)
// Definition
Ranked #1 in the OWASP API Security Top 10. A BOLA (also called IDOR — Insecure Direct Object Reference) vulnerability exists when an API trusts the object ID in the request rather than checking whether the authenticated user is authorised to access that specific resource. Test by replacing `/users/1/orders/100` with `/users/1/orders/101` (an order belonging to a different user) — a vulnerable API returns a 200; a secure one returns a 403 or 404. The fix is server-side authorisation checks on every object access.
// Why it matters
Invisible to happy-path testing — the endpoint works perfectly for its legitimate owner. You only surface BOLA by deliberately crossing user boundaries, so it's a test-design gap, not a tooling one. For any API exposing per-user resources, it's the first authorization test to write.
// How to test
// Authenticate as user A, then request user B's object
cy.request({ url: '/api/users/1/orders/100', headers: tokenA }) // your own
.its('status').should('eq', 200)
cy.request({
url: '/api/users/1/orders/101', // belongs to user B
headers: tokenA,
failOnStatusCode: false,
}).its('status').should('be.oneOf', [403, 404]) // 200 = vulnerable// Common mistakes
- Checking authorization only at login, not on every object access
- Treating a non-guessable ID (a UUID) as if it were a permission
- Testing only the happy path, so the bug ships silently
// Related terms
RBAC
Role-Based Access Control — a permission model where access rights are assigned to roles, and users inherit permissions by belonging to one or more roles. A `viewer` role can read resources; an `admin` role can create, update, and delete. In API testing, RBAC tests verify that each role can reach only the endpoints it should: a viewer calling `DELETE /content` should get a 403, not a 200. Broken access control at the object and function level is consistently in the OWASP API Security Top 10.
OAuth 2.0
An open delegation protocol that lets users grant third-party applications scoped access to their resources without sharing their password. OAuth 2.0 defines four grant flows — Authorization Code (web apps), Client Credentials (server-to-server), Device Code (CLI tools / TVs), and PKCE (mobile apps). QA engineers test OAuth flows by validating token exchange, scope enforcement, refresh token behaviour, and failure modes like expired tokens, insufficient scopes, and revoked access.
SSRF (Server-Side Request Forgery)
An attack where an attacker tricks a server into making HTTP requests on their behalf — often to internal services that aren't exposed to the internet. A vulnerable endpoint accepts a URL as input and fetches it server-side. Attackers use SSRF to reach cloud metadata endpoints (`http://169.254.169.254/latest/meta-data/`), internal admin interfaces, and databases. Test by supplying internal IPs, `localhost`, or cloud metadata URLs as inputs. The fix is a strict allowlist of permitted destination hosts.