By name: IDOR Vulnerability Testing description: This skill should be used when the user asks to "test for insecure direct object references," "find IDOR vulnerabilities," "exploit broken access control," "enumerate user IDs or object references," or "bypass authorization to access other users' data." It provides comprehensive guidance for detecting, exploiting, and remediating IDOR vulnerabilities in web applications. metadata: author: zebbern version: 4.1.0-fractal
IDOR Vulnerability Testing
Purpose
Provide systematic methodologies for identifying and exploiting Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. This skill covers both database object references and static file references, detection techniques using parameter manipulation and enumeration, exploitation via Burp Suite, and remediation strategies for securing applications against unauthorized access.
Inputs / Prerequisites
- Target Web Application: URL of application with user-specific resources
- Multiple User Accounts: At least two test accounts to verify cross-user access
- Burp Suite or Proxy Tool: Intercepting proxy for request manipulation
- Authorization: Written permission for security testing
- Understanding of Application Flow: Knowledge of how objects are referenced (IDs, filenames)
Outputs / Deliverables
- IDOR Vulnerability Report: Documentation of discovered access control bypasses
- Proof of Concept: Evidence of unauthorized data access across user contexts
- Affected Endpoints: List of vulnerable API endpoints and parameters
- Impact Assessment: Classification of data exposure severity
- Remediation Recommendations: Specific fixes for identified vulnerabilities