Jake Abendroth
Back to Blog
December 18, 2025
4 min

Building Doppel: Zero-Config Authorization Testing

Authorization bugs are everywhere. BOLA (Broken Object Level Authorization) and IDOR (Insecure Direct Object References) consistently rank in the OWASP API Security Top 10, yet most security scanners completely miss them. Why? Because detecting these vulnerabilities requires understanding the logic of your API - not just throwing payloads at endpoints.

That's why I built Doppel.

The Problem

Imagine an API endpoint: GET /api/users/123/orders. A typical scanner might check for SQL injection, XSS, or rate limiting. But what if user 123 can access user 456's orders just by changing the ID? That's BOLA - and traditional tools won't catch it because they don't test across different user sessions.

Manual testing doesn't scale. You'd need to:

  1. Create multiple test users with different roles
  2. Map all endpoints and their ID parameters
  3. Try accessing each resource as every other user
  4. Track which combinations should fail but don't

For a real API with hundreds of endpoints? Impossible to do manually.

My Approach

Doppel automates this entire process. The key innovation is session swapping with logic-aware fuzzing.

How It Works

1. Zero-Config Discovery Doppel parses your existing API collections - Bruno, Postman, or OpenAPI specs. No configuration needed. It automatically:

  • Extracts all endpoints and parameters
  • Identifies ID fields (user IDs, order IDs, resource IDs)
  • Maps authentication contexts from your collection

2. Session Swapping For every request that worked with User A's token, Doppel replays it with User B's token. If User B can access User A's resources? That's a vulnerability.

3. Mutational Fuzzing Beyond simple ID swapping, Doppel mutates parameters with:

  • SQLi payloads
  • XSS vectors
  • Edge cases (negative IDs, UUID format violations)
  • Boundary conditions

All while maintaining valid request structure.

Technical Deep Dive

I built Doppel in Rust for performance and safety. The core is an async engine powered by Tokio that can handle thousands of concurrent requests:

// Simplified session swap logic
async fn swap_session_test(
    request: &ApiRequest,
    original_user: &User,
    target_user: &User
) -> TestResult {
    let mut swapped = request.clone();
    swapped.set_auth(&target_user.token);

    let response = client.send(swapped).await?;

    // If target user got success accessing original user's resource
    if response.is_success() && !target_user.can_access(&request.resource) {
        report_vulnerability(VulnType::BOLA, request, target_user);
    }
}

Advanced OpenAPI Support

Modern APIs use complex specs with $ref external files, oneOf/allOf composition, and nested schemas. Doppel handles all of this:

  • Resolves external file references
  • Flattens schema composition
  • Generates valid payloads that match schema constraints

Optional AI Analysis

For detecting sensitive data exposure, Doppel integrates with local Ollama models. When a vulnerability is found, it can analyze response bodies for PII:

let analysis = ollama.analyze(&response.body).await?;
if analysis.contains_pii() {
    vulnerability.severity = Severity::Critical;
    vulnerability.pii_detected = analysis.fields;
}

This runs entirely locally - no data leaves your machine.

Real-World Results

During testing, Doppel found authorization bugs in:

  • Internal admin panels where regular users could access admin-only data
  • REST APIs where changing a single ID parameter exposed other users' private information
  • GraphQL endpoints with improper query-level authorization

Most of these were in production APIs that had passed security reviews.

Current Status & Future Work

Doppel is in active development with 10/10 tests passing. Upcoming features:

  • SARIF integration for CI/CD pipeline integration
  • Custom rule engine for defining organization-specific test logic
  • Web dashboard for visualizing attack graphs and vulnerability chains
  • Enhanced AI detection for context-aware PII analysis

Why Rust?

Performance matters when you're testing thousands of endpoints across multiple sessions. Rust gives me:

  • Zero-cost abstractions for high-level API without runtime overhead
  • Memory safety without garbage collection pauses
  • Fearless concurrency - Tokio's async runtime is blazing fast
  • Rich ecosystem for HTTP clients, parsing, and fuzzing

Try It Yourself

Doppel is open source under MIT license. Check it out at github.com/abendrothj/Doppel.

# Install
cargo install doppel

# Run against your API
doppel --collection api.postman.json --sessions sessions.json

If you find authorization bugs in your APIs (and you probably will), let me know! I'm always looking for feedback to make Doppel better.

Building security tools teaches you how attackers think. Every project is an opportunity to make the web a little bit safer.

Back to All Posts