OpenAPI import: BOLA, BFLA, and mass-assignment scanning from a single spec

The OWASP API Security Top 10 leads with Broken Object Level Authorization (BOLA), Broken Function Level Authorization (BFLA), and mass-assignment. All three are dead-simple to verify when you have two access tokens of different privilege levels - and almost impossible to catch with a generic web scanner because they need to compose two authenticated request flows against the same endpoint.

NANOTESTING ships a Go-native API authz scanner that does exactly that, driven entirely by an OpenAPI spec.

What the scanner does

For every operation in your spec:

1. BOLA probe: identify path / query / body parameters that look like object IDs ({id}, {userId}, account_id, etc.). Fetch one as the primary token, then attempt the same fetch with an alt-token from a different account. If the alt-token receives a 2xx response, BOLA is confirmed.
2. BFLA probe: try every method declared on an admin-ish path (/admin/..., /internal/..., custom routes you flag) with a non-admin token. Any non-401/403 response is a candidate finding.
3. Mass-assignment probe (opt-in): on PATCH and PUT endpoints, inject extra fields the schema does not declare (is_admin, role, verified). Any 2xx accepting the unknown field is a confirmed mass-assignment hit.

How to feed it a spec

Two paths:

• Upload your spec on the target detail page. 4 MiB JSON or YAML. We never modify it.
• Fetch from URL: paste a URL like https://api.example.com/openapi.json. The server-side fetch runs an SSRF guard (private + cloud-metadata addresses are refused), pins the connection to the first public IP via undici, caps the response at 4 MiB, and refuses redirects. The spec lands in private Supabase storage and the worker downloads it at scan time.

What ends up in the report

Each authz hit is normalised into a finding (method, path, evidence snippet, remediation), tagged with the OWASP API ID, and rendered in the developer remediation PDF. The report does not contain the actual response bodies that proved exploitation - only the request signature and the status code - so you can share it with auditors without leaking real customer records.

If you have an OpenAPI spec, open a target on the dashboard, drop the URL into the OpenAPI card, and re-run the scan.