IDOR by adding user id in query params
Attacker can access resources of any user by adding user_id in URL.
Broken Object Level Authorization (BOLA)
How this template works
The template uses API selection filters to specify the criteria for selecting the API requests to be executed. In this case, the filters include checking the response code to be between 200 and 300, and extracting the value of the "user" or "customer" parameter as the "user_context" for further use.
The template uses a single request execution type, which means it will execute a single API request. The request is defined using the "add_query_param" action, where the value of the "user_context.key" is set to the extracted value from the API selection filters.
After executing the request, the template performs validation on the response. It checks that the response code is between 200 and 300, and also checks the response payload for two conditions. Firstly, it checks that the percentage match of the response payload with the original response payload is less than 50%. Secondly, it checks that the length of the response payload is greater than 0.
Frequently asked questions
What is the purpose of the "add_query_param" request in the test
How is the "user_context" parameter extracted from the request
What is the purpose of the "response_code" filter in the validation step
What does the "percentage_match" validation check for in the response payload
How is the length of the response payload validated
What is the purpose of the "BOLA" category and "ADD_USER_ID" subcategory in the array