Hadrian is an open-source API authorization testing framework built by Praetorian. It automates the detection of authorization vulnerabilities like BOLA (Broken Object Level Authorization) and BFLA (Broken Function Level Authorization) across REST, GraphQL, and gRPC APIs using role-based permutation testing and YAML-driven security templates.

Hadrian ships with 30 built-in security templates covering the OWASP API Security Top 10, including Broken Object Level Authorization (API1:2023), Broken Authentication (API2:2023), Broken Object Property Level Authorization (API3:2023), Broken Function Level Authorization (API5:2023), and excessive data exposure. Custom templates can be added for application-specific logic.

Autorize and AuthMatrix are Burp Suite extensions that require manual browsing or configuration. Autorize only tests endpoints you visit during your session, and AuthMatrix requires manually configuring a matrix of roles and endpoints. Hadrian reads the API specification directly, generates every attacker-victim role permutation automatically, and supports GraphQL and gRPC in addition to REST. It also uses three-phase mutation testing to prove write/delete vulnerabilities actually succeeded.

Yes. Hadrian supports REST (via OpenAPI specs), GraphQL (via introspection or SDL schema), and gRPC (via proto files) under a unified testing framework. Each protocol gets vulnerability templates designed for its specific attack surface, including GraphQL-specific checks like query depth attacks, batching abuse, and circular fragment exploitation.

Mutation testing is Hadrian’s method for proving that write and delete vulnerabilities actually succeeded. Phase 1 (Setup) creates a resource as the victim. Phase 2 (Attack) attempts to modify or delete that resource as the attacker. Phase 3 (Verify) checks whether the resource was actually changed. This eliminates false positives from APIs that return 200 OK without actually performing the unauthorized action.