Last updated: May 1, 2026
MEDIUM
🔐 PRO
⏱ 90 min
Module 6 of 8
What you’ll learn
- Why authorization is the single highest-yield bug class in modern SaaS
- Horizontal IDOR (accessing peer data) vs vertical IDOR (privilege escalation)
- Mass assignment — updating fields you shouldn’t be able to
- BOLA (Broken Object-Level Auth) vs BFLA (Broken Function-Level Auth)
- Multi-tenant boundary violations — the SaaS-killer bug
- GraphQL authorization — why it’s almost always wrong
Prerequisites: Modules 1–5.
In 2026, authorization is the single most commercially-impactful bug class in SaaS applications. It tops OWASP’s lists. Every pentest we run finds at least one. Authorization bugs produce the cleanest, scariest demos in pentest reports — “Look, this user can read all customers’ data. Yes, all of them. Yes, with a single HTTP request.” Developers can’t argue with the evidence, and regulators take these bugs seriously under DPDP’s “reasonable safeguards” standard.
This module teaches the four authorization bug classes that produce 90% of real-world findings.
The mental model
Authentication: who are you? Authorization: what are you allowed to do? A well-designed application asks both questions on every action. A poorly-designed application checks authentication once (at login) and trusts the client for authorization thereafter.
Authorization decisions live in two dimensions:
- Function-level: is this user allowed to invoke this endpoint at all? (e.g.,
/admin/users) - Object-level: given they can invoke it, are they allowed to access this specific object? (e.g., order ID 42 belongs to a different user)
Both need to be enforced on every request, server-side. When either is missing or bypassed, you get one of the four authorization bugs below.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.