Cyber Daily Report

News

Home News

Your API Has Authorization Bugs. Hadrian Finds Them.

  • None--securityboulevard.com
  • published date: 2026-03-27 00:00:00 UTC

None

<div data-elementor-type="wp-post" data-elementor-id="11111" class="elementor elementor-11111" data-elementor-post-type="post"> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-f4bfdb6 e-con-full e-flex e-con e-parent" data-id="f4bfdb6" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-0b5a85e elementor-widget elementor-widget-text-editor" data-id="0b5a85e" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Authorization vulnerabilities are the most common critical finding in our API penetration tests. We find them on nearly every engagement: a user changes an ID in the URL and gets back another user’s data. Broken Object Level Authorization (BOLA) has been the #1 risk on the <a href="https://owasp.org/API-Security/">OWASP API Security Top 10</a> since the list was created. It’s simple to understand, simple to exploit, and tedious to test comprehensively.</p> <p>The problem isn’t knowing what to look for. It’s doing it at scale. An API with 50 authenticated endpoints and four user roles produces hundreds of attacker-victim permutations, each requiring the right auth token, the right resource ID, and careful evaluation of the response. We kept doing this manually, and it didn’t scale. So we built Hadrian.</p> <p>Hadrian is an open-source API authorization testing framework for REST, GraphQL, and gRPC APIs. Give it an API spec, define your roles and auth tokens, and it systematically tests every endpoint for authorization bypass, broken authentication, excessive data exposure, and more. It ships with 30 built-in security templates, supports three-phase mutation testing to prove write/delete vulnerabilities, and includes optional LLM-powered triage. Get it at <a href="https://github.com/praetorian-inc/hadrian">github.com/praetorian-inc/hadrian</a>.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-c6efd01 e-con-full e-flex e-con e-parent" data-id="c6efd01" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-edb0bfd elementor-widget elementor-widget-heading" data-id="edb0bfd" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Why Existing Tools Don’t Solve This</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-84dba68 e-con-full e-flex e-con e-parent" data-id="84dba68" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-8f74bc5 elementor-widget elementor-widget-text-editor" data-id="8f74bc5" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The tools security engineers currently rely on for API authorization testing work at the wrong level of abstraction.</p> <p>Autorize, the most popular Burp Suite extension for this problem, passively monitors your traffic and replays requests with a lower-privileged token. It’s useful, but it only tests what you click on. If you browse 30 of those 50 endpoints during your session, Autorize tests 30. The other 20 are untested. It also has no concept of role hierarchy. It swaps one cookie for another and compares response lengths, which produces false positives on any API that returns different-sized payloads per user.</p> <p>AuthMatrix improves on this by letting you define roles and mark which endpoints each role should access. But you still manually add every request, configure regex-based detection rules, and maintain the matrix as the API evolves. For a 50-endpoint API with four roles, that’s 200 cells to configure by hand.</p> <p>Neither tool reads an API specification. They don’t generate role-pair permutations automatically. GraphQL and gRPC support is also missing. And critically, neither can prove that a write or delete operation actually succeeded. They only compare responses.</p> <p>Hadrian approaches the problem differently. It reads the API spec, loads role definitions with explicit privilege levels, and generates every attacker-victim permutation automatically. The permutation engine is the core of the tool: given an OpenAPI file with 50 endpoints and a roles file with four privilege levels, Hadrian generates and executes every relevant API authorization test without manual configuration.</p> <p> </p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-13aed57 e-con-full e-flex e-con e-parent" data-id="13aed57" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-2709c9e elementor-widget elementor-widget-heading" data-id="2709c9e" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">How It Works</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-6432917 e-con-full e-flex e-con e-parent" data-id="6432917" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-29d7181 elementor-widget elementor-widget-text-editor" data-id="29d7181" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Hadrian takes three inputs: an API specification, a roles definition, and authentication credentials. You can also provide custom test templates for application-specific logic beyond the 30 built-in checks.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-15450da e-con-full e-flex e-con e-parent" data-id="15450da" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-d2376cc elementor-widget elementor-widget-code-highlight" data-id="d2376cc" data-element_type="widget" data-e-type="widget" data-widget_type="code-highlight.default"> <div class="prismjs-okaidia copy "> <pre data-line="" class="highlight-height language-markup yes"> <code readonly class="language-markup"> <xmp>hadrian test rest \ --api api.yaml \ --roles roles.yaml \ --auth auth.yaml \ --category all [INFO] Loaded 8 templates [INFO] Testing 44 operations against 4 roles [HIGH] BOLA - Cross-User Resource Access (API1:2023) Endpoint: GET /api/users/{id} [CRITICAL] BFLA - Unauthorized Admin Function Access (API5:2023) Endpoint: DELETE /api/users/{id} ============================================================ HADRIAN SCAN SUMMARY ============================================================ Operations: 44 Templates: 8 Total Findings: 2 Findings by Severity: CRITICAL 1 HIGH 1</xmp> </code> </pre> </div> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-97c8bc2 e-con-full e-flex e-con e-parent" data-id="97c8bc2" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-120c1e3 elementor-widget elementor-widget-text-editor" data-id="120c1e3" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The roles file defines privilege levels and permissions using an action:object:scope format. The level field establishes explicit ordering—Hadrian uses it to automatically generate attacker/victim pairs where lower-privileged roles test access to higher-privileged roles’ resources:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-13d6569 e-con-full e-flex e-con e-parent" data-id="13d6569" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-9329d75 elementor-widget elementor-widget-code-highlight" data-id="9329d75" data-element_type="widget" data-e-type="widget" data-widget_type="code-highlight.default"> <div class="prismjs-okaidia copy "> <pre data-line="" class="highlight-height language-markup yes"> <code readonly class="language-markup"> <xmp>roles: - name: admin level: 100 permissions: - "read:users:all" - "write:users:all" - "delete:users:all" - name: user level: 10 permissions: - "read:users:own" - "write:posts:own" - name: guest level: 0 permissions: []</xmp> </code> </pre> </div> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-bcebd2d e-con-full e-flex e-con e-parent" data-id="bcebd2d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-275435c elementor-widget elementor-widget-text-editor" data-id="275435c" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Security tests are defined as YAML templates. Each template specifies which endpoints to target (based on HTTP method, path parameters, auth requirements), which role pairs to test, and what response patterns indicate a vulnerability. Hadrian ships with 30 templates covering all the authorization vulnerabilities in OWASP Top 10 for APIs and more.</p> <p><a id="X3dd628ceac2ea97c28ce3897790f4ca6674413b"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-f0167c8 e-con-full e-flex e-con e-parent" data-id="f0167c8" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-46448dc elementor-widget elementor-widget-heading" data-id="46448dc" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Proving Write Vulnerabilities with Mutation Testing</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-5ad2713 e-con-full e-flex e-con e-parent" data-id="5ad2713" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-7196915 elementor-widget elementor-widget-text-editor" data-id="7196915" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Reading another user’s data is one thing. Deleting their resources is another. The problem with testing write and delete operations is that a 200 OK response doesn’t prove the action was actually performed. We’ve encountered APIs that return success codes regardless of whether the authorization check passed, APIs that queue operations asynchronously, and APIs that silently swallow unauthorized requests.</p> <p>Hadrian addresses this with three-phase mutation testing:</p> <ol> <li><strong>Setup</strong> (as victim): Create a resource, store its ID</li> <li><strong>Attack</strong> (as attacker): Attempt to modify or delete the victim’s resource</li> <li><strong>Verify</strong> (as victim): Confirm whether the resource was actually changed</li> </ol></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-f29b975 e-con-full e-flex e-con e-parent" data-id="f29b975" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1d58833 elementor-widget elementor-widget-code-highlight" data-id="1d58833" data-element_type="widget" data-e-type="widget" data-widget_type="code-highlight.default"> <div class="prismjs-okaidia copy "> <pre data-line="" class="highlight-height language-markup yes"> <code readonly class="language-markup"> <xmp>Phase 1: SETUP → Victim creates resource → {"user_id": "abc-456"} Phase 2: ATTACK → Attacker deletes /users/abc-456 → Status 200 Phase 3: VERIFY → Victim reads /users/abc-456 → Status 404 ✓ VULNERABILITY: Attacker deleted victim's resource</xmp> </code> </pre> </div> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-748e527 e-con-full e-flex e-con e-parent" data-id="748e527" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-bd6a83e elementor-widget elementor-widget-text-editor" data-id="bd6a83e" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>If the verify phase shows the resource still exists, there’s no finding. The server accepted the request but didn’t act on it. Every write or delete finding in Hadrian is backed by proof that the state actually changed.</p> <p><a id="three-api-protocols-one-tool"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-2c4fe18 e-con-full e-flex e-con e-parent" data-id="2c4fe18" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-1a8c818 elementor-widget elementor-widget-heading" data-id="1a8c818" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Three API Protocols, One Tool</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-cf6b03a e-con-full e-flex e-con e-parent" data-id="cf6b03a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-d237a8a elementor-widget elementor-widget-text-editor" data-id="d237a8a" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Most API security testing tools focus exclusively on REST. But we regularly encounter applications running REST for their public API, GraphQL for their frontend, and gRPC for internal service-to-service communication. Testing each protocol currently means different tools, different expertise, and for gRPC, usually no automated tooling at all.</p> <p>Hadrian supports all three under a unified framework:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-7465f10 e-con-full e-flex e-con e-parent" data-id="7465f10" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-6da4a00 elementor-widget elementor-widget-code-highlight" data-id="6da4a00" data-element_type="widget" data-e-type="widget" data-widget_type="code-highlight.default"> <div class="prismjs-okaidia copy "> <pre data-line="" class="highlight-height language-markup yes"> <code readonly class="language-markup"> <xmp># REST (via OpenAPI spec) hadrian test rest --api api.yaml --roles roles.yaml --auth auth.yaml --category all # GraphQL (via introspection or SDL schema) hadrian test graphql --target https://api.example.com --auth auth.yaml --roles roles.yaml --template-dir templates/graphql # gRPC (via proto file) hadrian test grpc --target localhost:50051 --proto service.proto --auth auth.yaml --roles roles.yaml</xmp> </code> </pre> </div> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a41721a e-con-full e-flex e-con e-parent" data-id="a41721a" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-19d4577 elementor-widget elementor-widget-text-editor" data-id="19d4577" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Each protocol gets tests designed for its specific attack surface. GraphQL templates cover introspection disclosure, query depth attacks, alias-based DoS, batching attacks, circular fragment abuse, and directive overloading. These vulnerability classes don’t exist in REST. gRPC templates handle status code-based detection, metadata injection, and deadline manipulation.</p> <p><a id="assessment-workflow-integration"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a985fcb e-con-full e-flex e-con e-parent" data-id="a985fcb" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-6022ff6 elementor-widget elementor-widget-heading" data-id="6022ff6" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Assessment Workflow Integration</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-1aae7fc e-con-full e-flex e-con e-parent" data-id="1aae7fc" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-6d7fb5a elementor-widget elementor-widget-text-editor" data-id="6d7fb5a" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Hadrian was designed to bring scalable API authorization testing into the offensive security projects that Praetorian conducts every day. It can be run either from your command line, or imported programmatically as a Go module in your tool or system of choice.</p> <p>All traffic routes through Burp Suite or any HTTP proxy with <code>--proxy</code>, so you can verify findings manually and capture request/response pairs for your report. Adaptive rate limiting (default 5 req/sec) with reactive backoff on 429/503 responses means you won’t get yourself blocked during a client assessment. <code>--dry-run</code> shows exactly what Hadrian would test without sending a single request, which is useful for scoping conversations with clients.</p> <p>For finding triage, Hadrian optionally sends results to a local Ollama instance for LLM-powered analysis. It redacts credentials before sending data to the model, so client tokens never leave the machine. Using the LLM-powered analysis is useful for quickly sorting true-positives from edge cases on large APIs:</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-be4aa9f e-con-full e-flex e-con e-parent" data-id="be4aa9f" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-507bfd7 elementor-widget elementor-widget-code-highlight" data-id="507bfd7" data-element_type="widget" data-e-type="widget" data-widget_type="code-highlight.default"> <div class="prismjs-okaidia copy "> <pre data-line="" class="highlight-height language-markup yes"> <code readonly class="language-markup"> <xmp>hadrian test rest --api api.yaml --roles roles.yaml \ --llm-host http://localhost:11434 --llm-model llama3.2:latest \ --llm-context "This API handles financial data with PCI DSS requirements"</xmp> </code> </pre> </div> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-efe5f12 e-con-full e-flex e-con e-parent" data-id="efe5f12" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-c83a99f elementor-widget elementor-widget-text-editor" data-id="c83a99f" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>One thing worth noting: Hadrian requires an API specification (OpenAPI, GraphQL schema, or proto file) and valid auth tokens for each role. It doesn’t discover APIs or generate credentials. On engagements where we don’t have a spec, we typically build one from Burp traffic or use API documentation, then point Hadrian at it.</p> <p><a id="the-praetorian-offensive-toolkit"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-7b39e38 e-con-full e-flex e-con e-parent" data-id="7b39e38" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-873f592 elementor-widget elementor-widget-heading" data-id="873f592" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">The Praetorian Offensive Toolkit</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-a0b23b0 e-con-full e-flex e-con e-parent" data-id="a0b23b0" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-5f4a932 elementor-widget elementor-widget-text-editor" data-id="5f4a932" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Hadrian joins our open-source security toolkit. In a typical external assessment, <a href="https://www.praetorian.com/blog/whats-running-on-that-port-introducing-nerva-for-service-fingerprinting/">Nerva</a> identifies services on discovered ports, including API endpoints. Hadrian tests those APIs for authorization flaws. Findings from both feed into the final report. For cloud-focused engagements, <a href="https://www.praetorian.com/blog/aurelian-cloud-security-tool/">Aurelian</a> maps the cloud environment and discovers API Gateways, then the APIs behind them get tested with Hadrian. Each tool handles a distinct phase of security work: <a href="https://www.praetorian.com/blog/attack-surface-mapping-tool-pius/">Pius</a> for asset discovery, Nerva for service fingerprinting, Brutus for credential testing, <a href="https://www.praetorian.com/blog/building-bridges-breaking-pipelines-introducing-trajan/">Trajan</a> for CI/CD pipeline security, Aurelian for cloud reconnaissance, and Hadrian for API authorization testing. If you’re interested in using Hadrian to help secure your company’s APIs, you can learn more about our <a href="https://www.praetorian.com/">Praetorian Guard Platform</a> at praetorian.com.</p> <p> </p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-2a72094 e-con-full e-flex e-con e-parent" data-id="2a72094" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-ba4dd78 elementor-widget elementor-widget-heading" data-id="ba4dd78" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Getting Started</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-90de1d4 e-con-full e-flex e-con e-parent" data-id="90de1d4" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-3f7359e elementor-widget elementor-widget-text-editor" data-id="3f7359e" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>Start running API authorization testing today. Hadrian is available now at <a href="https://github.com/praetorian-inc/hadrian">github.com/praetorian-inc/hadrian</a>. Install from source or grab a prebuilt binary from the releases page.</p> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-8d412f6 e-con-full e-flex e-con e-parent" data-id="8d412f6" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-5be661f elementor-widget elementor-widget-code-highlight" data-id="5be661f" data-element_type="widget" data-e-type="widget" data-widget_type="code-highlight.default"> <div class="prismjs-okaidia copy "> <pre data-line="" class="highlight-height language-markup yes"> <code readonly class="language-markup"> <xmp>go install github.com/praetorian-inc/hadrian/cmd/hadrian@latest</xmp> </code> </pre> </div> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-458f34d e-con-full e-flex e-con e-parent" data-id="458f34d" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-54ef845 elementor-widget elementor-widget-text-editor" data-id="54ef845" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default"> <p>The repository includes intentionally vulnerable test applications for REST (<a href="https://github.com/OWASP/crAPI">crAPI</a>), GraphQL (<a href="https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application">DVGA</a>), and gRPC (built-in vulnerable server) so you can see Hadrian in action before pointing it at a real target.</p> <p>If you find bugs, want to contribute templates, or have feature requests, <a href="https://github.com/praetorian-inc/hadrian/issues">open an issue</a>. We’re actively developing Hadrian and want to hear how you’re using it.</p> <p><a id="frequently-asked-questions"></a> </p></div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-880e961 e-con-full e-flex e-con e-parent" data-id="880e961" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-8d89d82 elementor-widget elementor-widget-heading" data-id="8d89d82" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default"> <h2 class="elementor-heading-title elementor-size-default">Frequently Asked Questions</h2> </div> </div> <div data-particle_enable="false" data-particle-mobile-disabled="false" class="elementor-element elementor-element-6f77a87 e-con-full e-flex e-con e-parent" data-id="6f77a87" data-element_type="container" data-e-type="container"> <div class="elementor-element elementor-element-0ecd10a elementor-widget elementor-widget-accordion" data-id="0ecd10a" data-element_type="widget" data-e-type="widget" data-widget_type="accordion.default"> <div class="elementor-accordion"> <div class="elementor-accordion-item"> <h3 id="elementor-tab-title-1551" class="elementor-tab-title" data-tab="1" role="button" aria-controls="elementor-tab-content-1551" aria-expanded="false"> <span class="elementor-accordion-icon elementor-accordion-icon-left" aria-hidden="true"><br> <span class="elementor-accordion-icon-closed"><svg class="e-font-icon-svg e-fas-plus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H272V64c0-17.67-14.33-32-32-32h-32c-17.67 0-32 14.33-32 32v144H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h144v144c0 17.67 14.33 32 32 32h32c17.67 0 32-14.33 32-32V304h144c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> <span class="elementor-accordion-icon-opened"><svg class="e-font-icon-svg e-fas-minus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h384c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> </span><br> <a class="elementor-accordion-title" tabindex="0">What is Hadrian?</a><br> </h3> <div id="elementor-tab-content-1551" class="elementor-tab-content elementor-clearfix" data-tab="1" role="region" aria-labelledby="elementor-tab-title-1551"> <p>Hadrian is an open-source API authorization testing framework built by Praetorian. It automates the detection of authorization vulnerabilities like BOLA (Broken Object Level Authorization) and BFLA (Broken Function Level Authorization) across REST, GraphQL, and gRPC APIs using role-based permutation testing and YAML-driven security templates.</p> <p><a id="X462ccf325ee2000ef5e57f6e81bb570f2b63e23"></a></p></div> </div> <div class="elementor-accordion-item"> <h3 id="elementor-tab-title-1552" class="elementor-tab-title" data-tab="2" role="button" aria-controls="elementor-tab-content-1552" aria-expanded="false"> <span class="elementor-accordion-icon elementor-accordion-icon-left" aria-hidden="true"><br> <span class="elementor-accordion-icon-closed"><svg class="e-font-icon-svg e-fas-plus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H272V64c0-17.67-14.33-32-32-32h-32c-17.67 0-32 14.33-32 32v144H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h144v144c0 17.67 14.33 32 32 32h32c17.67 0 32-14.33 32-32V304h144c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> <span class="elementor-accordion-icon-opened"><svg class="e-font-icon-svg e-fas-minus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h384c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> </span><br> <a class="elementor-accordion-title" tabindex="0">What types of API vulnerabilities does Hadrian detect?</a><br> </h3> <div id="elementor-tab-content-1552" class="elementor-tab-content elementor-clearfix" data-tab="2" role="region" aria-labelledby="elementor-tab-title-1552"> <p>Hadrian ships with 30 built-in security templates covering the OWASP API Security Top 10, including Broken Object Level Authorization (API1:2023), Broken Authentication (API2:2023), Broken Object Property Level Authorization (API3:2023), Broken Function Level Authorization (API5:2023), and excessive data exposure. Custom templates can be added for application-specific logic.</p> <p><a id="X756276fe26026cb7e7498ad2afb991a3b28d7da"></a></p></div> </div> <div class="elementor-accordion-item"> <h3 id="elementor-tab-title-1553" class="elementor-tab-title" data-tab="3" role="button" aria-controls="elementor-tab-content-1553" aria-expanded="false"> <span class="elementor-accordion-icon elementor-accordion-icon-left" aria-hidden="true"><br> <span class="elementor-accordion-icon-closed"><svg class="e-font-icon-svg e-fas-plus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H272V64c0-17.67-14.33-32-32-32h-32c-17.67 0-32 14.33-32 32v144H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h144v144c0 17.67 14.33 32 32 32h32c17.67 0 32-14.33 32-32V304h144c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> <span class="elementor-accordion-icon-opened"><svg class="e-font-icon-svg e-fas-minus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h384c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> </span><br> <a class="elementor-accordion-title" tabindex="0">How is Hadrian different from Autorize or AuthMatrix?</a><br> </h3> <div id="elementor-tab-content-1553" class="elementor-tab-content elementor-clearfix" data-tab="3" role="region" aria-labelledby="elementor-tab-title-1553"> <p>Autorize and AuthMatrix are Burp Suite extensions that require manual browsing or configuration. Autorize only tests endpoints you visit during your session, and AuthMatrix requires manually configuring a matrix of roles and endpoints. Hadrian reads the API specification directly, generates every attacker-victim role permutation automatically, and supports GraphQL and gRPC in addition to REST. It also uses three-phase mutation testing to prove write/delete vulnerabilities actually succeeded.</p> <p><a id="Xd5d791eee0c86f0441ec5f16eb5c67bb000135c"></a></p></div> </div> <div class="elementor-accordion-item"> <h3 id="elementor-tab-title-1554" class="elementor-tab-title" data-tab="4" role="button" aria-controls="elementor-tab-content-1554" aria-expanded="false"> <span class="elementor-accordion-icon elementor-accordion-icon-left" aria-hidden="true"><br> <span class="elementor-accordion-icon-closed"><svg class="e-font-icon-svg e-fas-plus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H272V64c0-17.67-14.33-32-32-32h-32c-17.67 0-32 14.33-32 32v144H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h144v144c0 17.67 14.33 32 32 32h32c17.67 0 32-14.33 32-32V304h144c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> <span class="elementor-accordion-icon-opened"><svg class="e-font-icon-svg e-fas-minus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h384c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> </span><br> <a class="elementor-accordion-title" tabindex="0">Does Hadrian support GraphQL and gRPC APIs?</a><br> </h3> <div id="elementor-tab-content-1554" class="elementor-tab-content elementor-clearfix" data-tab="4" role="region" aria-labelledby="elementor-tab-title-1554"> <p>Yes. Hadrian supports REST (via OpenAPI specs), GraphQL (via introspection or SDL schema), and gRPC (via proto files) under a unified testing framework. Each protocol gets vulnerability templates designed for its specific attack surface, including GraphQL-specific checks like query depth attacks, batching abuse, and circular fragment exploitation.</p> <p><a id="what-is-three-phase-mutation-testing"></a></p></div> </div> <div class="elementor-accordion-item"> <h3 id="elementor-tab-title-1555" class="elementor-tab-title" data-tab="5" role="button" aria-controls="elementor-tab-content-1555" aria-expanded="false"> <span class="elementor-accordion-icon elementor-accordion-icon-left" aria-hidden="true"><br> <span class="elementor-accordion-icon-closed"><svg class="e-font-icon-svg e-fas-plus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H272V64c0-17.67-14.33-32-32-32h-32c-17.67 0-32 14.33-32 32v144H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h144v144c0 17.67 14.33 32 32 32h32c17.67 0 32-14.33 32-32V304h144c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> <span class="elementor-accordion-icon-opened"><svg class="e-font-icon-svg e-fas-minus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h384c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> </span><br> <a class="elementor-accordion-title" tabindex="0">What is three-phase mutation testing?</a><br> </h3> <div id="elementor-tab-content-1555" class="elementor-tab-content elementor-clearfix" data-tab="5" role="region" aria-labelledby="elementor-tab-title-1555"> <p>Mutation testing is Hadrian’s method for proving that write and delete vulnerabilities actually succeeded. Phase 1 (Setup) creates a resource as the victim. Phase 2 (Attack) attempts to modify or delete that resource as the attacker. Phase 3 (Verify) checks whether the resource was actually changed. This eliminates false positives from APIs that return 200 OK without actually performing the unauthorized action.</p> <p><a id="Xeb5941974347a5ea76331d4988fa023cb39f83c"></a></p></div> </div> <div class="elementor-accordion-item"> <h3 id="elementor-tab-title-1556" class="elementor-tab-title" data-tab="6" role="button" aria-controls="elementor-tab-content-1556" aria-expanded="false"> <span class="elementor-accordion-icon elementor-accordion-icon-left" aria-hidden="true"><br> <span class="elementor-accordion-icon-closed"><svg class="e-font-icon-svg e-fas-plus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H272V64c0-17.67-14.33-32-32-32h-32c-17.67 0-32 14.33-32 32v144H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h144v144c0 17.67 14.33 32 32 32h32c17.67 0 32-14.33 32-32V304h144c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> <span class="elementor-accordion-icon-opened"><svg class="e-font-icon-svg e-fas-minus" viewbox="0 0 448 512" xmlns="http://www.w3.org/2000/svg"><path d="M416 208H32c-17.67 0-32 14.33-32 32v32c0 17.67 14.33 32 32 32h384c17.67 0 32-14.33 32-32v-32c0-17.67-14.33-32-32-32z"></path></svg></span><br> </span><br> <a class="elementor-accordion-title" tabindex="0">Can Hadrian be integrated into CI/CD pipelines?</a><br> </h3> <div id="elementor-tab-content-1556" class="elementor-tab-content elementor-clearfix" data-tab="6" role="region" aria-labelledby="elementor-tab-title-1556"> <p>Hadrian can be imported as a Go module and run programmatically, making it suitable for CI/CD integration. It also supports <code>--dry-run</code> for scoping, <code>--proxy</code> for routing through Burp Suite, and adaptive rate limiting to avoid triggering WAF blocks during automated testing. All output is structured for easy parsing and integration with existing security workflows.</p> </div></div> <p> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is Hadrian?","acceptedAnswer":{"@type":"Answer","text":"</p> <p>Hadrian is an open-source API authorization testing framework built by Praetorian. It automates the detection of authorization vulnerabilities like BOLA (Broken Object Level Authorization) and BFLA (Broken Function Level Authorization) across REST, GraphQL, and gRPC APIs using role-based permutation testing and YAML-driven security templates.<\/p><a id=\"X462ccf325ee2000ef5e57f6e81bb570f2b63e23\"><\/a>"}},{"@type":"Question","name":"What types of API vulnerabilities does Hadrian detect?","acceptedAnswer":{"@type":"Answer","text":"</p> <p>Hadrian ships with 30 built-in security templates covering the OWASP API Security Top 10, including Broken Object Level Authorization (API1:2023), Broken Authentication (API2:2023), Broken Object Property Level Authorization (API3:2023), Broken Function Level Authorization (API5:2023), and excessive data exposure. Custom templates can be added for application-specific logic.<\/p><a id=\"X756276fe26026cb7e7498ad2afb991a3b28d7da\"><\/a>"}},{"@type":"Question","name":"How is Hadrian different from Autorize or AuthMatrix?","acceptedAnswer":{"@type":"Answer","text":"</p> <p>Autorize and AuthMatrix are Burp Suite extensions that require manual browsing or configuration. Autorize only tests endpoints you visit during your session, and AuthMatrix requires manually configuring a matrix of roles and endpoints. Hadrian reads the API specification directly, generates every attacker-victim role permutation automatically, and supports GraphQL and gRPC in addition to REST. It also uses three-phase mutation testing to prove write\/delete vulnerabilities actually succeeded.<\/p><a id=\"Xd5d791eee0c86f0441ec5f16eb5c67bb000135c\"><\/a>"}},{"@type":"Question","name":"Does Hadrian support GraphQL and gRPC APIs?","acceptedAnswer":{"@type":"Answer","text":"</p> <p>Yes. Hadrian supports REST (via OpenAPI specs), GraphQL (via introspection or SDL schema), and gRPC (via proto files) under a unified testing framework. Each protocol gets vulnerability templates designed for its specific attack surface, including GraphQL-specific checks like query depth attacks, batching abuse, and circular fragment exploitation.<\/p><a id=\"what-is-three-phase-mutation-testing\"><\/a>"}},{"@type":"Question","name":"What is three-phase mutation testing?","acceptedAnswer":{"@type":"Answer","text":"</p> <p>Mutation testing is Hadrian\u2019s method for proving that write and delete vulnerabilities actually succeeded. Phase 1 (Setup) creates a resource as the victim. Phase 2 (Attack) attempts to modify or delete that resource as the attacker. Phase 3 (Verify) checks whether the resource was actually changed. This eliminates false positives from APIs that return 200 OK without actually performing the unauthorized action.<\/p><a id=\"Xeb5941974347a5ea76331d4988fa023cb39f83c\"><\/a>"}},{"@type":"Question","name":"Can Hadrian be integrated into CI\/CD pipelines?","acceptedAnswer":{"@type":"Answer","text":"</p> <p>Hadrian can be imported as a Go module and run programmatically, making it suitable for CI\/CD integration. It also supports <code>--dry-run<\/code> for scoping, <code>--proxy<\/code> for routing through Burp Suite, and adaptive rate limiting to avoid triggering WAF blocks during automated testing. All output is structured for easy parsing and integration with existing security workflows.<\/p>"}}]}</script> </p></div> </div> </div> </div><p>The post <a href="https://www.praetorian.com/blog/hadrian-api-authorization-testing/">Your API Has Authorization Bugs. Hadrian Finds Them.</a> appeared first on <a href="https://www.praetorian.com/">Praetorian</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/your-api-has-authorization-bugs-hadrian-finds-them/" data-a2a-title="Your API Has Authorization Bugs. Hadrian Finds Them."><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-api-has-authorization-bugs-hadrian-finds-them%2F&amp;linkname=Your%20API%20Has%20Authorization%20Bugs.%20Hadrian%20Finds%20Them." title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-api-has-authorization-bugs-hadrian-finds-them%2F&amp;linkname=Your%20API%20Has%20Authorization%20Bugs.%20Hadrian%20Finds%20Them." title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-api-has-authorization-bugs-hadrian-finds-them%2F&amp;linkname=Your%20API%20Has%20Authorization%20Bugs.%20Hadrian%20Finds%20Them." title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-api-has-authorization-bugs-hadrian-finds-them%2F&amp;linkname=Your%20API%20Has%20Authorization%20Bugs.%20Hadrian%20Finds%20Them." title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fyour-api-has-authorization-bugs-hadrian-finds-them%2F&amp;linkname=Your%20API%20Has%20Authorization%20Bugs.%20Hadrian%20Finds%20Them." title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.praetorian.com/blog/">Offensive Security Blog: Latest Trends in Hacking | Praetorian</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by n8n-publisher">n8n-publisher</a>. Read the original post at: <a href="https://www.praetorian.com/blog/hadrian-api-authorization-testing/">https://www.praetorian.com/blog/hadrian-api-authorization-testing/</a> </p>

Most Popular

Your API Has Authorization Bugs. Hadrian Finds Them.

  • None -- securityboulevard.com
  • Published date: 2026-03-27 00:00:00 UTC

What Is CIAM? A Complete Guide to Customer Identity and Access Management in 2026

  • None -- securityboulevard.com
  • Published date: 2026-03-27 00:00:00 UTC

Autonomous Development and AI: Speed vs. Security

  • None -- securityboulevard.com
  • Published date: 2026-03-26 00:00:00 UTC

How do NHIs deliver value in cloud environments?

  • None -- securityboulevard.com
  • Published date: 2026-03-26 00:00:00 UTC

Nova Scotia Power Cyberbreach Affected More Than 900,000 Current and Former Customers

  • None -- securityboulevard.com
  • Published date: 2026-03-26 00:00:00 UTC