<p>Most APIs we test enforce authorization consistently — a gateway or middleware checks the caller's token before any handler runs. Then there is the one route that does not.</p>
<h2>The Pattern</h2>
<p>A modern API exposes dozens of endpoints. Twenty-three of them return <code>401</code> without a valid token. The twenty-fourth returns <code>200</code> and a payload. Not because of a clever bypass — because authorization was wired up <strong>per-handler</strong>, and one handler was missed.</p>
<p>This is <strong>Broken Object Level Authorization</strong> and its siblings, still the top entry on the OWASP API Security list, and still the most common serious finding in our engagements.</p>
<blockquote>
<p>"Authorization is not a feature you add. It is an invariant you have to prove holds everywhere."</p>
</blockquote>
<h2>How We Find It</h2>
<ul>
<li>Enumerate the <strong>full</strong> route inventory — from source maps, OpenAPI specs, and client bundles, not just the documented endpoints.</li>
<li>Probe every route unauthenticated, then as a low-privilege user against another user's object IDs.</li>
<li>Treat inconsistency as the signal: when sibling routes disagree on auth, one of them is wrong.</li>
</ul>
<p>A scanner sees a <code>200</code> and moves on. A tester asks why this <code>200</code> exists when its neighbors do not. That question is the engagement.</p>


The One Route That Forgot to Check

The Pattern

How We Find It