API BOLA / IDOR Testing

from anthropic-cybersecurity-skills15,369

Structured workflow to test REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR), with techniques for discovery, exploitation checks, and rem

triggers:BOLAIDORbroken object level authorizationapi securityauthorization testing

GitHub SKILL.md

What it does

This skill provides a thorough, repeatable methodology to test APIs for Broken Object Level Authorization (BOLA / IDOR). It guides assessors through endpoint discovery, object ID mapping, authenticated baseline captures, horizontal and vertical privilege escalation checks, advanced techniques (parameter pollution, batch ID abuse, GraphQL relay IDs), and automation with Burp's Autorize. The outputs include test cases and a PoC report template.

When to use it

Activate this skill during security assessments of multi-tenant SaaS APIs, mobile/backend APIs, or any service that exposes object identifiers (numeric IDs, UUIDs, slugs). Required when validating OWASP API1:2023 controls or implementing authorization testing in CI/CD. Important: use only with explicit written authorization.

What's included

Scripts: example Python snippets for baseline capture and automated checks (embedded in SKILL.md / scripts folder)
References: recommended tools (Burp Suite + Autorize, OWASP ZAP, Postman, ffuf) and remediation checklists
Instructions: stepwise workflow for discovery, testing, advanced techniques, and report formatting

Compatible agents

Designed for security automation and testing agents (tools that can run scripts and interact with HTTP APIs), and pairs well with Burp-assisted manual testing and CI-based security checks.

Not yet audited

This skill has not been reviewed by our automated audit pipeline yet.

Information

Repository: anthropic-cybersecurity-skills
Stars: 15,369
Installs: 0

Related Skills

Anthropic Security Basics

Practical security practices for Anthropic Claude integrations: API key management, input validation, prompt-injection defenses, and output scanning.

IGF (Grapefruit) CLI

CLI skill to control the IGF (Grapefruit) dynamic instrumentation server for mobile security testing: enumerate Frida devices, inspect apps, run hooks, access f

Security Research Meta-Methodology

A structured vulnerability research framework distilled from 5600+ security docs, covering web injection, deserialization, binary exploitation, domain pentest,

Input Validation Checker

Automated guidance and code patterns for implementing robust input validation and secure-coding practices (OWASP-aligned).

Performing Threat Modeling with OWASP Threat Dragon

Use OWASP Threat Dragon to create data-flow diagrams, apply STRIDE/LINDDUN threat classifications, and generate threat-model reports to guide secure design revi

Nuxt Users

Add and configure user authentication, authorization, database and CLI tools for Nuxt 3/4 apps using the nuxt-users module.

Security Headers Generator

Auto-activating skill that generates and validates security HTTP headers and provides guidance for implementing secure header configurations.

API Security Testing

Guided workflow for testing REST and GraphQL APIs: authentication, authorization, input validation, rate limiting, error handling, and common API vulnerabilitie

Back to Skills

API BOLA / IDOR Testing

from anthropic-cybersecurity-skills15,369

Structured workflow to test REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR), with techniques for discovery, exploitation checks, and rem

triggers:BOLAIDORbroken object level authorizationapi securityauthorization testing

GitHub SKILL.md

What it does

When to use it

What's included

Scripts: example Python snippets for baseline capture and automated checks (embedded in SKILL.md / scripts folder)
References: recommended tools (Burp Suite + Autorize, OWASP ZAP, Postman, ffuf) and remediation checklists
Instructions: stepwise workflow for discovery, testing, advanced techniques, and report formatting

Compatible agents

Designed for security automation and testing agents (tools that can run scripts and interact with HTTP APIs), and pairs well with Burp-assisted manual testing and CI-based security checks.

Not yet audited

This skill has not been reviewed by our automated audit pipeline yet.

Information

Repository: anthropic-cybersecurity-skills
Stars: 15,369
Installs: 0

Related Skills

Anthropic Security Basics

Practical security practices for Anthropic Claude integrations: API key management, input validation, prompt-injection defenses, and output scanning.

IGF (Grapefruit) CLI

CLI skill to control the IGF (Grapefruit) dynamic instrumentation server for mobile security testing: enumerate Frida devices, inspect apps, run hooks, access f

Security Research Meta-Methodology

A structured vulnerability research framework distilled from 5600+ security docs, covering web injection, deserialization, binary exploitation, domain pentest,

Input Validation Checker

Automated guidance and code patterns for implementing robust input validation and secure-coding practices (OWASP-aligned).

Performing Threat Modeling with OWASP Threat Dragon

Use OWASP Threat Dragon to create data-flow diagrams, apply STRIDE/LINDDUN threat classifications, and generate threat-model reports to guide secure design revi

Nuxt Users

Add and configure user authentication, authorization, database and CLI tools for Nuxt 3/4 apps using the nuxt-users module.

Security Headers Generator

Auto-activating skill that generates and validates security HTTP headers and provides guidance for implementing secure header configurations.

API Security Testing

Guided workflow for testing REST and GraphQL APIs: authentication, authorization, input validation, rate limiting, error handling, and common API vulnerabilitie

API BOLA / IDOR Testing

What it does

When to use it

What's included

Compatible agents

Tags

Not yet audited

Information

Related Skills

API BOLA / IDOR Testing

What it does

When to use it

What's included

Compatible agents

Tags

Not yet audited

Information

Related Skills