Objective. Insecure Direct Object Reference (IDOR) or Broken Object Level Authorization (BOLA) are one of the critical type of access control vulnerabilities for modern applications. As a result, an attacker can bypass authorization checks leading to information leakage, account takeover. Our main research goal was to help an application security architect to optimize security design and testing process by giving an algorithm and tool that allows to automatically analyze system API specifications and generate list of possible vulnerabilities and attack vector ready to be used as security non-functional requirements. Method. We conducted a multivocal review of research and conference papers, bug bounty program reports and other grey sources of literature to outline patterns of attacks against IDOR vulnerability. These attacks are collected in groups proceeding with further analysis common attributes between these groups and what features compose the group. Endpoint properties and attack techniques comprise a group of attacks. Mapping between group features and existing OpenAPI specifications is performed to implement a tool for automatic discovery of potentially vulnerable endpoints. Results and practical relevance. In this work, we provide systematization of IDOR/BOLA attack techniques based on literature review, real cases analysis and derive IDOR/BOLA attack groups. We proposed an approach to describe IDOR/BOLA attacks based on OpenAPI specifications properties. We develop an algorithm of potential IDOR/BOLA vulnerabilities detection based on OpenAPI specification processing. We implemented our novel algorithm using Python and evaluated it. The results show that algorithm is resilient and can be used in practice to detect potential IDOR/BOLA vulnerabilities.

翻译：目标:无保障的直接物体参考(IDOR)或断层物体级别授权(BOLA)是现代应用中关键的准入控制脆弱性类型之一。因此,攻击者可以绕过授权检查,导致信息泄漏和账户接管。我们的主要研究目标是帮助应用安全设计师优化安全设计和测试过程,提供一种算法和工具,以便自动分析系统API规格,并生成可能的脆弱性和攻击矢量清单,作为安全性非功能性要求。方法。我们对研究和会议文件、错误赏金程序报告和其他灰色文献来源进行了多级审查,以概述攻击IDOR脆弱性的模式。这些攻击是在进一步分析这些群体之间共同属性和构成该群体特征的团体中收集的。终点特性和攻击技术包括一组攻击。对集团特征和现有的OpenAPI规格进行了测绘,以采用自动发现潜在脆弱端点的工具。结果和实用相关性。我们根据文献审查、真实案例分析以及从DOR/BOA对ORA 的测试方法,我们用ODOR/BAL 测试了一种基于OIA攻击规格的方法。