Authorization

Comprehensive IDOR Guide

Comprehensive IDOR Guide A practitioner’s reference for Insecure Direct Object Reference (IDOR) and Broken Object Level Authorization (BOLA) — attack surface, enumeration patterns, bypass techniques, real-world writeups, detection workflow, and prevention. Compiled from 21 research sources. Table of Contents Fundamentals IDOR vs BOLA vs BFLA Attack Surface & Where Identifiers Live Horizontal vs Vertical Access Identifier Enumeration Patterns Parameter Tampering Techniques HTTP Method & Verb Tampering Content-Type & Format Bypasses Path, Version, and Endpoint Tricks Mass Assignment Overlap UUID & Unpredictable ID Defeats Second-Order and Blind IDOR GraphQL, WebSocket, and Non-REST Surfaces Real-World Writeups & CVEs Exploit Chains Detection Methodology with Autorize Tools & Automation Impact & Severity Mapping Prevention & Secure Design Testing Checklist Report Writing 1. Fundamentals IDOR occurs when an application uses user-supplied input to reference an internal object (database row, file, resource) and fails to verify whether the current user is authorized to access that specific object. The application trusts the identifier, not the identity. ...

April 10, 2026 · 26 min · Carl Sampson

Comprehensive Authorization & Access Control Guide

Comprehensive Authorization & Access Control Guide A practitioner’s reference for Broken Access Control (OWASP A01) — the models, bug classes, bypass techniques, real-world chains, and detection/prevention patterns that matter in modern web and API testing. Compiled from 33 research sources. Table of Contents Fundamentals Authorization Models Attack Surface & Discovery Vertical Privilege Escalation Horizontal Privilege Escalation & IDOR/BOLA Broken Function Level Authorization URL, Method & Header Bypasses Parameter & Keyword Bypasses JWT & Token Claim Manipulation OAuth Scope & Redirect Abuse Multi-Tenant & Session Isolation Failures Cloud & AI Agent Authorization Real-World CVEs and Chains Tools & Automation Detection & Prevention Testing Methodology Quick Reference 1. Fundamentals Access control is the application of constraints on who or what is authorized to perform actions or access resources. It sits on top of two related primitives: ...

April 10, 2026 · 25 min · Carl Sampson