IDOR and BOLA testing

Prove object-level authorization bugs with identity-aware replay.

Crusader's Shadow Replay workflow is built for the bug class that pays: capture real requests from two actors, replay scoped reads across identities, rank meaningful response differences, and turn authorization gaps into evidenced findings.

Two-account identity capture Scoped authorization replay Response diff ranking Finding promotion with evidence

The authorization testing loop

IDOR and BOLA testing is not just changing an ID. The reliable workflow is to preserve real session context, replay a request as another authorized test actor, compare the full response, and separate noise from proof.

Capture

Save real identities

Record authenticated traffic for account A and account B so replay uses realistic headers, cookies, tokens, and client behavior.

Scope

Stay inside authorization

Limit replay to approved hosts, safe methods, and engagement boundaries before testing access control.

Replay

Run Shadow Replay

Re-send selected requests as another actor and compare status, body, headers, object ownership, and stable indicators.

Prove

Promote only evidenced bugs

Keep the source request, actor context, response delta, and reproduction steps attached to the finding.

Where IDOR leads come from

Crusader helps you find object-bearing requests across browser traffic, mobile APIs, imported projects, GraphQL bodies, JSON payloads, URL paths, and query strings. Then it gives you a controlled path to prove the actual authorization issue.

Good candidates:
- GET /api/projects/{projectId}
- POST /graphql with object IDs in variables
- PUT /api/users/{userId}/settings
- Mobile API calls with tenant, account, invoice, report, or file IDs

Proof quality matters

A good authorization report shows exactly which actor should not have access, exactly which object was accessed, and exactly what sensitive data or action was exposed. Crusader keeps those artifacts tied to the request and response history.

False positives

Compare more than status codes

A 200 can be a blank shell, a 403 can leak data in an error body, and caching can mislead. Inspect the full delta.

Freshness

Keep identity state current

Refresh sessions when needed, avoid stale tokens, and preserve actor context so proof is repeatable.

Safety

Prefer reads first

Start with read-only requests and explicit test objects. Escalate only when the engagement allows it.

Reporting

Attach the evidence chain

Promote confirmed deltas to findings with request, response, actor, impact, and remediation notes.

Related topic hubs

Authorization testing touches capture, mobile, agents, and transport. These hubs connect the adjacent workflows.

Make authorization testing repeatable.

Download Crusader free for capture, Repeater, passive triage, and project history. Start Hunter Pro in-app when you want Shadow Replay, active proof workflows, reports, mobile, JA3 transport, and full automation.

Download Crusader