Safe, automated IDOR/BOLA detection with triage-ready output.
AURA is a CLI scanner focused on finding Insecure Direct Object Reference (IDOR) and Broken Object Level Authorization (BOLA) vulnerabilities in web applications and APIs. It discovers endpoints from a target's HTML/JS bundles, tests them with alternate object IDs using your own auth token, and reports only the responses that look like a genuine authorization bypass.
Authorized testing only. Only scan targets you own or have explicit written permission to test. See SECURITY.md.
- IDOR detection (path and query parameter substitution)
- BOLA detection with status-code-aware confirmation (filters out 401/403/404 noise)
- Automatic endpoint discovery from HTML, JS bundles, and source maps
- JWT / Bearer / Cookie / Basic / custom header authentication
- Configurable concurrency and rate limiting
table,text,json, andcsvoutput formats- CI-friendly exit codes
Build from source (Go 1.21+ recommended):
git clone https://github.com/rendidwisa/aura.git
cd aura
go build -o aura ./cmd/auraTo embed version info (as done by the release pipeline):
go build -ldflags "-X main.version=1.0.0 -X main.commit=$(git rev-parse --short HEAD) -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" -o aura ./cmd/aura# Basic scan, no auth
./aura --target https://api.example.com
# Scan with a bearer/JWT token
./aura --target https://api.example.com --token YOUR_JWT_TOKEN
# Tune concurrency and rate limit
./aura --target https://api.example.com --threads 20 --rate-limit 50
# Route through a proxy, write JSON results to a file
./aura --target https://api.example.com --proxy http://localhost:8080 --format json --output results.json
# Use a config file instead of flags
./aura --config config.yml| Flag | Description | Default |
|---|---|---|
--target string |
Target URL to scan (required) | — |
--token string |
Authentication token | — |
--auth-type string |
jwt, bearer, cookie, basic, header |
jwt |
--cookie string |
Cookie header value for authentication | — |
--proxy string |
Proxy URL, e.g. http://proxy:8080 |
— |
--threads int |
Concurrent worker threads | 10 |
--rate-limit int |
Max requests per second | 100 |
--timeout int |
Request timeout (seconds) | 30 |
--max-retries int |
Max retry attempts per request | 3 |
--depth int |
Scanning depth | 3 |
--max-requests int |
Max total requests for the scan | 1000 |
--format string |
table, text, json, csv |
table |
--output string |
Write results to this file instead of stdout | — |
--config string |
Path to a YAML config file | — |
--fuzz |
Enable fuzz payload testing | false |
--verbose |
Enable debug logging | false |
--quiet |
Suppress output | false |
--version / -v |
Show version and exit | — |
--help |
Show usage and exit | — |
All environment variables listed below are fully supported and will override equivalent settings from the config file (but are themselves overridden by CLI flags).
| Variable | Equivalent flag | Status |
|---|---|---|
AURA_TARGET |
--target |
✅ Fully supported |
AUTH_AUTH_TOKEN |
--token |
✅ Fully supported |
AURA_AUTH_TYPE |
--auth-type |
✅ Fully supported |
AURA_AUTH_COOKIE |
--cookie |
✅ Fully supported |
AURA_PROXY |
--proxy |
✅ Fully supported |
AURA_TIMEOUT |
--timeout |
✅ Fully supported |
AURA_RATE_LIMIT |
--rate-limit |
✅ Fully supported |
AURA_THREADS |
--threads |
✅ Fully supported |
AURA_ENABLE_FUZZ |
--fuzz |
✅ Fully supported |
AURA_OUTPUT_FORMAT |
--format |
✅ Fully supported |
AURA_OUTPUT_FILE |
--output |
✅ Fully supported |
AURA_VERBOSE |
--verbose |
✅ Fully supported |
Priority order (highest to lowest):
- CLI flags
- Environment variables
- Config file
- Default values
| Code | Meaning |
|---|---|
0 |
Scan completed, no vulnerabilities found |
1 |
Configuration error or scan failure |
2 |
Scan completed, vulnerabilities found |
Exit code 2 makes AURA easy to wire into CI as a gate.
| Limitation | Detail |
|---|---|
| GET only | IDOR/BOLA detection only sends GET requests; POST/PUT/PATCH/DELETE are defined in payloads but not yet tested |
| No auto-login | Tokens must be supplied manually via --token/--cookie; no login flow automation |
| JS-dependent discovery | Endpoint discovery relies on JS bundle analysis; pure server-rendered apps fall back to static payload endpoints |
| Single token | Multi-account testing (user A vs user B) isn't a first-class feature yet |
| No body filtering | If an endpoint always returns the logged-in user's own data regardless of ID, it may still be flagged — manual verification is required |
| No GraphQL | Only REST-style URL patterns are analyzed |
--depth flag |
Currently parsed but not yet implemented (crawling depth is planned for future release) |
See ARCHITECTURE.md for full internals and design rationale.
TBD — add a LICENSE file (e.g. MIT/Apache-2.0) before distributing publicly.