Features • Installation • Usage • How it Works
AuthSniper is a high-performance, concurrent CLI tool designed for Bug Bounty Hunters and Penetration Testers to automate the discovery of BOLA (Broken Object Level Authorization) and IDOR vulnerabilities in modern APIs.
Unlike legacy tools that rely on naive string-length comparisons (generating massive false positives), AuthSniper internally converts JSON responses into an Abstract Syntax Tree (AST). It compares the structural topology of the Victim's and Attacker's responses, completely neutralizing false positives caused by dynamic data like timestamps, UUIDs, or changing integers.
- Raw HTTP Parsing: Natively supports parsing Burp Suite HTTP exports (POST, PUT, custom headers, JSON bodies).
- AST Diff Engine: 0% False Positive rate on dynamic JSON endpoints. Compares structural keys and data types, not raw values.
- Worker Pools: Highly optimized Goroutine concurrency. Feed it 10,000 URLs and let it chew through them safely.
- CI/CD Ready: Outputs vulnerable endpoints directly to standard
.jsonlfiles for integration withjqor notification pipelines. - Unauth Verification: Automatically fires a third concurrent request (Unauthenticated) to ensure the target isn't just a public endpoint.
Ensure you have Go installed, then run:
git clone https://github.com/Mutasem-mk4/AuthSniper.git
cd AuthSniper
go build -o authsniper ./cmd/authsniper/main.goExport a raw HTTP request from Burp Suite (e.g., req.txt). AuthSniper will deep-clone it and aggressively swap the tokens.
./authsniper -r req.txt -t1 "Bearer victim_token" -t2 "Bearer attacker_token"Specify the number of concurrent workers -c and stream the results to a file for your pipeline -o.
./authsniper -r req.txt -t1 "Bearer victim" -t2 "Bearer attacker" -c 50 -o findings.jsonl| Flag | Description |
|---|---|
-r |
Raw HTTP Request file (Burp/ZAP export) |
-t1 |
Victim's Authorization Token / Cookie |
-t2 |
Attacker's Authorization Token / Cookie |
-c |
Number of concurrent workers (Default: 10) |
-o |
Output file for confirmed vulnerabilities (JSONL) |
When dealing with modern APIs, dynamic noise (timestamps, CSRF tokens, changing IDs) ruins length-based BOLA scanners.
AuthSniper converts:
{"id": 1, "balance": 500, "date": "2026-04"} (Victim Response)
{"id": 2, "balance": 999, "date": "2026-05"} (Attacker Response)
Into structurally normalized skeletons:
{"id": NUMBER, "balance": NUMBER, "date": STRING}
{"id": NUMBER, "balance": NUMBER, "date": STRING}
AuthSniper realizes the underlying structure is an exact 100% match, proving the Attacker successfully pulled the schematic data belonging to the Victim. BOLA Confirmed!
MIT License - Copyright (c) 2026 Mutasem-mk4
Developed by Mutasem Kharma (معتصم خرما), a Security Engineer and Open-Source Toolsmith specializing in eBPF, AI-powered security frameworks, and autonomous vulnerability hunting.
Explore more projects and technical deep-dives at mutasem-portfolio.vercel.app.