Skip to main content

Providing Authorization Information for Horizontal Authorization Abuse Test Cases

Testing for Horizontal Authorization Abuse, requires credentials for additional users.

Since horizontal authorization abuse (BOLA) is about violating resource ownership constraints among users, these tests operate with a notion of users owning specific RESTful resources.

The tests first access the API's RESTful resource via the user who owns the resource, and then attempt to do the same with an additional user, who does not have resource ownership.

The autogenerated environment.yml file will have the below structure (assuming the default Bearer AuthN mechanism is being used).

# Environment file that contains users, roles and their Authentication
# mechanisms that will be used by the API endpoints.
iam:
users:
- name: user_1
default: true # This user should own RESTful resources subject to horizontal abuse testing
bearer_tokens:
- name: bearerAuth
value: <Enter the bearer token>
- name: user_2
bearer_tokens:
- name: bearerAuth
value: <Enter the bearer token>

You are required to provide valid bearer tokens for two users above (user_1 and user_2).

If you are wondering why bearer tokens for two users are required, user_1 is the default user, that is used in most of the API testing.

user_2 specifies credentials for another user (at the same role level as user_1), and is used in horizontal privilege escalation tests.

If using an authentication mechanism other than Bearer AuthN, please modify the auto generated YAML appropriately.