Skip to main content
Metlo can automatically identify most BOLA, BFLA, IDOR and Broken Authentication vulnerabilities. To do this we require a little bit of configuration on the different resources and actors in your api as well as the permission relationships between them. This configuration is written in the settings page on the Testing Config tab.

Hosts

The first step is to add some authentication configuration for each host that you want to make tests for. Each host should has the following fields:
  • authType - One of basic, header, jwt, session_cookie
  • headerKey [optional] - The header your auth info is stored in
  • cookieName [optional] - The name of the cookie your auth info is stored in
  • jwtUserPath [optional] - The path of the user in your JWT token

Actors

After you define your hosts you can specify the different Actors in your API. An Actor is any agent that performs an action in your API. Most commonly you can either have User actors or APIKey actors. Each actor should have a JSON list of items in it. Each item should be a dictionary with all the fields relevant to your Actor. Be sure to add an auth key in each item so we can authenticate your actor when making requests.

Resources

Resources are the items that actors perform actions on. A resource has the following fields:
  • permissions - A list of strings that contains each permission for this resource, most commonly read or write
  • items - A list of different example resources
In addition to identifying the permissions and items for a resource you can also define the endpoints that use this resource. Here are a few examples:

Permissions

Finally, you can define the relations between your Actors and Resources using permissions.
Metlo automatically generates auth test cases using these permissions!