README
ΒΆ
bola
βββββββ βββββββ βββ ββββββ ββββββββββββββββββββ ββββββββ βββββββββββ ββββββ ββββββββ βββββββββββ ββββββ ββββββββ ββββββββββββββββββββββββββββ βββ βββββββ βββββββ βββββββββββ βββ
Next-generation Identity Orchestration Engine for automated BOLA/IDOR detection
bola is a standalone CLI tool that automatically discovers Broken Object Level Authorization (BOLA/IDOR) vulnerabilities in modern web applications by orchestrating multiple real identities against a dynamically built resource graph β with zero manual token management.
Unlike replay-only tools (Autorize, AuthMatrix) that blindly swap cookies, bola understands data structures, extracts object IDs from responses, maps resource ownership, detects false-positive "200 with error body" responses, and produces HackerOne-ready reports with reproduction curl commands.
β‘ Why Bola?
| Feature | Autorize | AuthMatrix | bola |
|---|---|---|---|
| Standalone CLI (no Burp) | β | β | β |
| Auto-detect token type (JWT/Cookie/Bearer) | β | β | β |
| Auto-refresh expired tokens | β | β | β |
| Extract object IDs from responses | β | β | β |
| Build resource ownership graph | β | β | β |
| Detect 200-with-error false positives | β | β | β |
| Multi-step workflow support | β | β | β |
| Confidence scoring (High/Medium/Low) | β | β | β |
| Smart path-based deduplication | β | β | β |
| HackerOne-ready Markdown reports | β | β | β |
| HAR import (Burp/ZAP) | N/A | N/A | β |
| N identities simultaneously | 2 | N | β N |
| Single static binary | N/A | N/A | β |
π§ How It Works
graph LR
classDef proxy fill:#ff6b6b,stroke:#333,color:#fff;
classDef graph fill:#4ecdc4,stroke:#333,color:#fff;
classDef test fill:#f9ca24,stroke:#333;
classDef report fill:#6c5ce7,stroke:#333,color:#fff;
A[Browser] -->|1. Browse normally| P[MITM Proxy]:::proxy
P -->|2. Extract IDs| G[Resource Graph]:::graph
G -->|3. Cross-identity replay| T[Test Engine]:::test
T -->|4. Compare responses| R[Reports]:::report
-
Capture β Browse your target through bola's proxy (or import a Burp/ZAP HAR file). Bola silently extracts every object ID (UUID, integer, MongoDB ObjectID) from URLs, JSON bodies, and headers.
-
Map β Build an ownership graph: which identity accessed which resource, through which endpoint, with what parent-child relationships.
-
Test β For every resource owned by Identity A, replay the exact request using Identity B, C, D... with intelligent rate limiting and retry logic.
-
Analyze β Compare responses using multi-factor scoring: status code match, body size delta, JSON structure similarity (Jaccard coefficient), and error pattern detection. Score each finding as HIGH, MEDIUM, or LOW confidence.
-
Report β Deduplicate findings by normalized path pattern, then output to terminal (colored), JSON (pipeline-ready), and Markdown (HackerOne/Bugcrowd submission-ready).
π Quick Start
# 1. Install
go install github.com/Mutasem-mk4/bola/cmd/bola@latest
# 2. Generate config
bola config init
# 3. Edit bola.yaml with your target and identities
# 4. Option A: Live proxy capture
bola proxy --config bola.yaml
# (browse your target application through localhost:8080)
# Ctrl+C when done
# 5. Option B: Import from Burp/ZAP
bola import traffic.har --config bola.yaml
# 6. Run the scan
bola scan --config bola.yaml
# 7. Check reports
cat bola-report.md # HackerOne-ready
cat bola-report.json # For pipelines
π Installation
Pre-built Binaries
Download from GitHub Releases:
# Linux AMD64
curl -Lo bola.tar.gz https://github.com/Mutasem-mk4/bola/releases/latest/download/bola-linux-amd64.tar.gz
tar xzf bola.tar.gz
sudo mv bin/bola /usr/local/bin/
# Linux ARM64
curl -Lo bola.tar.gz https://github.com/Mutasem-mk4/bola/releases/latest/download/bola-linux-arm64.tar.gz
tar xzf bola.tar.gz
sudo mv bin/bola /usr/local/bin/
Debian/Ubuntu (.deb)
curl -Lo bola.deb https://github.com/Mutasem-mk4/bola/releases/latest/download/bola_0.1.0_amd64.deb
sudo dpkg -i bola.deb
Build from Source
git clone https://github.com/Mutasem-mk4/bola
cd bola
make build # β bin/bola
sudo make install # β /usr/bin/bola + man page
Official Distros (Pending Review)
bola is being packaged for:
- Kali Linux (Pending)
- Parrot OS (Pending)
- BlackArch (Pending)
π» Usage
# Subcommands
bola proxy # Start MITM proxy, build resource graph
bola import <har> # Import HAR file instead of live proxy
bola scan # Run cross-identity authorization tests
bola report # Regenerate reports from database
bola config init # Generate example bola.yaml
bola version # Print version info
# Flags
-c, --config Config file path (default: bola.yaml)
-v, --verbose Verbose output
-q, --quiet Suppress non-essential output
-h, --help Help
βοΈ Configuration
Run bola config init to generate a fully-commented bola.yaml:
target:
base_url: "https://api.target.com"
scope:
include: ["/api/v1/*", "/api/v2/*"]
exclude: ["/api/v1/health"]
identities:
- name: "admin"
role: "admin"
headers:
Authorization: "Bearer eyJ..."
- name: "user1"
role: "user"
headers:
Authorization: "Bearer eyJ..."
- name: "guest"
role: "guest"
testing:
workers: 5
rate_limit: 10
timeout: 30s
analysis:
similarity_threshold: 0.85
min_confidence: "LOW"
output:
terminal: true
json: "bola-report.json"
markdown: "bola-report.md"
ποΈ Architecture
bola/
βββ cmd/bola/ # CLI entrypoint (cobra)
βββ internal/
β βββ proxy/ # MITM HTTP/HTTPS proxy + ID extraction + HAR import
β βββ graph/ # SQLite resource graph (endpoints, resources, relationships)
β βββ vault/ # Multi-identity token management + auto-refresh
β βββ tester/ # Cross-identity replay engine
β βββ analyzer/ # Response comparison + Jaccard similarity + confidence scoring
β βββ dedup/ # Path normalization + finding deduplication
β βββ reporter/ # Terminal (lipgloss) + JSON + Markdown output
β βββ config/ # YAML config loader + validation
βββ debian/ # Debian packaging (dpkg-buildpackage ready)
βββ man/ # Man page (troff)
βββ .github/workflows/ # CI/CD (lint, test, build, release, crAPI integration)
Key Design Decisions
- Pure Go SQLite (
modernc.org/sqlite) β zero CGO, single static binary - goproxy β battle-tested MITM proxy with native HTTPS interception
- Jaccard similarity β structural JSON comparison that catches "same structure, different data" patterns (real BOLA) vs "completely different structure" (false positive)
- Multi-factor confidence scoring β status code, body size, structure similarity, error pattern detection. No single-signal false positives.
π Output Example
Terminal
π΄ [HIGH] #1
Endpoint: GET /api/v1/users/{id}
Identity: user1 β user2
Status: 200 β 200
Similarity: 95.0% Size Ξ: 2.0%
Notes: Same status code; Similar response size; High structural similarity
Reproduce:
curl -X GET 'https://api.target.com/api/v1/users/123' \
-H 'Authorization: Bearer eyJ...'
JSON
{
"tool": "bola",
"summary": {"total": 3, "high": 1, "medium": 1, "low": 1},
"findings": [
{
"confidence": "HIGH",
"method": "GET",
"path": "/api/v1/users/{id}",
"owner_identity": "user1",
"tester_identity": "user2",
"similarity": 0.95,
"curl_command": "curl -X GET ..."
}
]
}
π§ͺ Testing
# Unit tests
make test
# Lint
make lint
# Build verification (cross-compile)
make check-build
Integration tests automatically run against OWASP crAPI in CI.
π€ Contributing
Contributions welcome! See CONTRIBUTING.md and CODE_OF_CONDUCT.md.
Priority areas:
- Additional token format support (API keys, HMAC signatures)
- GraphQL endpoint support
- OpenAPI/Swagger spec import
- Rate limit detection and backoff
- WebSocket support
π License
MIT License. See LICENSE.
π Links
- Bug Tracker: GitHub Issues
- Security: SECURITY.md
- Changelog: CHANGELOG.md
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
bola
command
Package main implements the bola CLI β a next-generation Identity Orchestration Engine for automated BOLA/IDOR detection.
|
Package main implements the bola CLI β a next-generation Identity Orchestration Engine for automated BOLA/IDOR detection. |
|
internal
|
|
|
analyzer
Package analyzer provides response comparison and confidence scoring for BOLA/IDOR detection.
|
Package analyzer provides response comparison and confidence scoring for BOLA/IDOR detection. |
|
config
Package config provides YAML configuration loading, validation, and defaults for the bola BOLA/IDOR detection engine.
|
Package config provides YAML configuration loading, validation, and defaults for the bola BOLA/IDOR detection engine. |
|
dedup
Package dedup provides path normalization and finding deduplication.
|
Package dedup provides path normalization and finding deduplication. |
|
graph
Package graph provides SQLite-backed storage for the BOLA resource graph.
|
Package graph provides SQLite-backed storage for the BOLA resource graph. |
|
proxy
Package proxy provides the MITM HTTP/HTTPS proxy engine for bola.
|
Package proxy provides the MITM HTTP/HTTPS proxy engine for bola. |
|
tester
Package tester implements the cross-identity authorization replay engine with rate limiting, jitter, progress tracking, and parent-chain verification.
|
Package tester implements the cross-identity authorization replay engine with rate limiting, jitter, progress tracking, and parent-chain verification. |
|
vault
Package vault provides multi-identity session management for bola.
|
Package vault provides multi-identity session management for bola. |
Click to show internal directories.
Click to hide internal directories.