With Akto, you can automate the process of generating attacker tokens required for Broken Object Level Authorization (BOLA) . These tokens are required to simulate the actions of malicious actors and help identify BOLA-related vulnerabilities in your API's authorization mechanisms.

In the demonstration below, let’s run a test by selecting an authenticated API endpoint from the juice_shop_demo collection.

1. Configure attacker token

In the demonstration below, we have added an Auth header key and Auth header value to facilitate authentication when making requests to the API. Go to the Testing > User Config. Enter the Auth Header Key and Auth Header Value. Click on the Save Change.

In the above demonstration, we have added an Auth token. Now let's check the test results.

You can also automate attacker auth token generation by clicking on the Automated button and follow the steps here.

2. Run BOLA tests

Go to API Inventory > API Collection. Select the API collection for which you want to run the test and sort authenticated API endpoints based on your requirements. Click on the Run test button. Select the Test Categories (BOLA), then click on the Run Test.

In the above demonstration, we have run tests for Broken Object Level Authorization (BOLA) by changing the auth token on rest/product/review endpoint of the juice_shop_demo collection.

3. Verify results

In the above demonstration, we will see both the original authentication token of the API and the modified authentication code. The observation from the test indicates that the authentication system could be easily altered or manipulated. This suggests there might be security issues, such as weak authentication controls, or a risk of unauthorized access, like tampering with or injecting tokens. It's a call for further investigation and fixes to strengthen the system's security.