> ## Documentation Index
> Fetch the complete documentation index at: https://qodex.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# What are BOLA, IDOR, and BOPLA, and how does Qodex test for them?

> Understand common authorization bugs and how Qodex checks them with multiple auth profiles.

# What are BOLA, IDOR, and BOPLA, and how does Qodex test for them?

BOLA, IDOR, and BOPLA are authorization bugs.

They happen when an API lets one user access an object, action, or field they should not be allowed to access.

## What the terms mean

| Term  | Meaning                                    | Example                                                              |
| ----- | ------------------------------------------ | -------------------------------------------------------------------- |
| BOLA  | Broken Object Level Authorization          | User B can read User A's order by changing the order id.             |
| IDOR  | Insecure Direct Object Reference           | Older name for object-id access bugs like BOLA.                      |
| BOPLA | Broken Object Property Level Authorization | A user can read hidden fields or write protected fields like `role`. |

BOLA and IDOR are closely related. BOPLA focuses on fields and properties, not just object ids.

## How Qodex tests BOLA and IDOR

Qodex needs at least two auth profiles, such as `userA` and `userB`.

The test shape is:

1. Authenticate as User A.
2. Create or read a resource and capture its id.
3. Switch to User B.
4. Request the same resource id as User B.
5. Expect the app to return `403` or `404`.

If the app returns `200` with User A's data, Qodex can open a security finding.

## How Qodex tests BOPLA

For excessive data exposure, Qodex compares response fields against what the caller should see. Fields like `password_hash`, private user data, internal ids, or admin-only values are suspicious.

For mass assignment, Qodex sends protected fields such as `role: "admin"` or `isAdmin: true`, then follows up to check whether the value persisted.

## Why auth profiles matter

A single shared admin token cannot prove cross-user authorization.

Create separate auth profiles for roles such as admin, user, viewer, and another normal user. Qodex uses those profiles to test whether permissions are enforced across real role boundaries.

## Next steps

<CardGroup cols={2}>
  <Card title="OWASP API Top 10 in Qodex" icon="list-ordered" href="/security-testing-owasp-api-top-10">
    See where these bugs fit.
  </Card>

  <Card title="Auth profiles" icon="key" href="/api-testing-auth-profiles">
    Configure multiple users and roles.
  </Card>

  <Card title="Security scenarios" icon="shield" href="/security-testing-scenarios">
    Save repeatable authorization checks.
  </Card>

  <Card title="Inverted semantics" icon="arrows-up-down" href="/security-testing-inverted-semantics">
    Understand why blocked attacks pass.
  </Card>
</CardGroup>
