Habilidades IDOR Vulnerability Testing
đź”’

IDOR Vulnerability Testing

Baixo Risco ⚙️ Comandos externos

Test Web Applications for IDOR Vulnerabilities

Também disponível em: zebbern

Identify insecure direct object reference vulnerabilities that allow unauthorized access to user data. Learn systematic methodologies for detecting access control bypasses through parameter manipulation and enumeration techniques.

Suporta: Claude Codex Code(CC)
đź“Š 70 Adequado
1

Baixar o ZIP da skill

2

Upload no Claude

Vá em Configurações → Capacidades → Skills → Upload skill

3

Ative e comece a usar

Testar

A utilizar "IDOR Vulnerability Testing". Test example.com/api/profile?id=1001 for IDOR vulnerabilities

Resultado esperado:

Starting IDOR vulnerability assessment...

Test 1: Increment/Decrement ID
Original: GET /api/profile?id=1001 → Returns user_1001 data
Modified: GET /api/profile?id=1000 → Returns user_1000 data

VULNERABILITY CONFIRMED: Horizontal privilege escalation detected. Application returns other users' profile data without verifying ownership.

Affected Endpoints:
- /api/profile?id={id}
- /api/user/{id}

Recommended Fix: Implement server-side ownership check comparing request.user.id with requested profile id before returning data.

A utilizar "IDOR Vulnerability Testing". Configure Burp Suite Intruder to enumerate invoice IDs

Resultado esperado:

Burp Suite Intruder Configuration:

1. Send GET /api/invoice/123 to Intruder (Ctrl+I)
2. Set payload position on '123' in the URL
3. Attack Type: Sniper
4. Payloads:
- Type: Numbers
- From: 1
- To: 500
- Step: 1
5. Start Attack

Analysis Guide:
- Filter for 200 OK status codes
- Check response content for different invoice data
- Verify if any 200 responses belong to other users
- Look for 403/404 patterns to identify valid vs invalid IDs

Risk: If 200 responses return other users' invoice data, this is a critical IDOR vulnerability exposing sensitive financial information.

A utilizar "IDOR Vulnerability Testing". Generate remediation code for the discovered IDOR vulnerability

Resultado esperado:

REMEDIATION: Address Update IDOR

Current Vulnerable Code:
def update_address(request, address_id):
address = Address.objects.get(id=address_id)
address.update(request.data) # No ownership check!

Secure Implementation:

Option 1 - Ownership Validation:
```python
def update_address(request, address_id):
address = get_object_or_404(Address, id=address_id)
if address.user_id != request.user.id:
return HttpResponseForbidden('Unauthorized')
address.update(request.data)
return JsonResponse({'status': 'success'})
```

Option 2 - Indirect Reference Pattern:
```python
def update_address(request):
# Always filter by authenticated user
address = get_object_or_404(Address, user=request.user)
address.update(request.data)
return JsonResponse({'status': 'success'})
```

Recommendation: Use Option 2 (indirect references) as it prevents IDOR by design rather than relying on validation checks.

Auditoria de Segurança

Baixo Risco
v1 • 2/25/2026

Static analysis detected 80 external command patterns flagged as Ruby/shell backtick execution. After evaluation, all findings are FALSE POSITIVES - the backticks appear exclusively in Markdown code blocks as educational examples demonstrating IDOR vulnerability testing techniques. The skill provides legitimate security testing guidance for authorized penetration testing activities. No actual executable code or command injection risks present.

1
Arquivos analisados
443
Linhas analisadas
2
achados
1
Total de auditorias
Problemas de Baixo Risco (1)
SKILL.md:37-442
False Positive: Markdown Code Block Detection
Static analyzer flagged 80 instances of Ruby/shell backtick execution patterns. These all occur within Markdown code blocks (lines 37-442) as educational examples showing URL structures, API requests, and command configurations. No executable code present in the skill file - it is pure documentation for authorized security testing.

Fatores de risco

⚙️ Comandos externos (80)
SKILL.md:37-43 SKILL.md:43-47 SKILL.md:47-53 SKILL.md:53-58 SKILL.md:58-61 SKILL.md:61-65 SKILL.md:65-66 SKILL.md:66-67 SKILL.md:67-68 SKILL.md:68-69 SKILL.md:69-72 SKILL.md:72-80 SKILL.md:80-85 SKILL.md:85-95 SKILL.md:95-98 SKILL.md:98-108 SKILL.md:108-111 SKILL.md:111-118 SKILL.md:118-123 SKILL.md:123-132 SKILL.md:132-135 SKILL.md:135-146 SKILL.md:146-149 SKILL.md:149-157 SKILL.md:157-162 SKILL.md:162-171 SKILL.md:171-174 SKILL.md:174-179 SKILL.md:179-182 SKILL.md:182-188 SKILL.md:188-196 SKILL.md:196 SKILL.md:196-199 SKILL.md:199 SKILL.md:199-200 SKILL.md:200-201 SKILL.md:201-218 SKILL.md:218 SKILL.md:218 SKILL.md:218 SKILL.md:218-219 SKILL.md:219 SKILL.md:219 SKILL.md:219 SKILL.md:219-220 SKILL.md:220 SKILL.md:220 SKILL.md:220-221 SKILL.md:221 SKILL.md:221 SKILL.md:221-222 SKILL.md:222 SKILL.md:222 SKILL.md:222 SKILL.md:222-248 SKILL.md:248-263 SKILL.md:263-266 SKILL.md:266-288 SKILL.md:288-291 SKILL.md:291-303 SKILL.md:303-306 SKILL.md:306-324 SKILL.md:324-327 SKILL.md:327-338 SKILL.md:338-345 SKILL.md:345-352 SKILL.md:352-357 SKILL.md:357-364 SKILL.md:364-369 SKILL.md:369-376 SKILL.md:376-381 SKILL.md:381-388 SKILL.md:388-393 SKILL.md:393-400 SKILL.md:400-405 SKILL.md:405-416 SKILL.md:416-419 SKILL.md:419-427 SKILL.md:427-430 SKILL.md:430-442
Auditado por: claude

Pontuação de qualidade

38
Arquitetura
100
Manutenibilidade
87
ConteĂşdo
50
Comunidade
88
Segurança
74
Conformidade com especificações

O Que VocĂŞ Pode Construir

Penetration Testing Web Applications

Security professionals conduct authorized penetration tests to identify IDOR vulnerabilities in client applications before malicious actors discover them

Application Security Audits

Development teams validate access control implementations during security reviews or as part of secure development lifecycle processes

Bug Bounty Hunting

Independent researchers systematically test applications for IDOR flaws to earn rewards through responsible disclosure programs

Tente Estes Prompts

Basic IDOR Test 
Test the application at example.com for IDOR vulnerabilities. I have two user accounts (user1@test.com and user2@test.com). Walk me through the process of checking if I can access user2's data while authenticated as user1.
API Endpoint IDOR Enumeration 
Help me configure Burp Suite Intruder to test /api/user/{id} and /api/order/{orderId} endpoints for IDOR vulnerabilities. Set up a sniper attack with numeric payloads from 1 to 1000 and show me how to analyze the results.
Advanced IDOR with HTTP Method Switching 
The GET requests to /api/admin/users/{id} return 403 Forbidden. Show me how to test for IDOR using HTTP method switching (POST, PUT, PATCH) and parameter pollution techniques to bypass access controls.
File Download IDOR and Remediation 
I found an IDOR vulnerability in /download/receipt_{id}.pdf where I can access other users' receipts. Generate a proof-of-concept report and provide Python code examples showing proper access control implementation to fix this issue.

Melhores Práticas

  • Always obtain written authorization before conducting IDOR testing on production systems. Document all testing activities and findings for proper reporting.
  • Create dedicated test accounts for security assessment rather than using real user data. Use clearly identifiable data (e.g., 'IDOR_TEST_USER') to verify access without exposing actual personal information.
  • Combine multiple testing techniques: parameter manipulation, HTTP method switching, and automated enumeration. Some IDOR vulnerabilities only surface through specific request patterns.

Evitar

  • Never test IDOR vulnerabilities on applications without explicit permission. Unauthorized access control testing is illegal and violates computer fraud laws.
  • Avoid modifying or deleting data during IDOR testing. Only perform read operations to verify vulnerability existence. Data modification can cause production issues and legal liability.
  • Do not assume that randomized identifiers (UUIDs/GUIDs) prevent IDOR. UUIDs can sometimes be enumerated through API responses, JavaScript files, or time-based prediction algorithms.

Perguntas Frequentes

What is an IDOR vulnerability?
IDOR (Insecure Direct Object Reference) occurs when an application exposes direct references to internal objects like database records or files, allowing attackers to manipulate those references to access other users' data without proper authorization checks.
Is this skill only for security professionals?
While designed for security professionals, developers can also use this skill to understand IDOR attack vectors and write more secure code. The skill provides remediation examples that help prevent these vulnerabilities during development.
Do I need Burp Suite to use this skill?
Burp Suite is recommended for advanced testing but not strictly required. The skill also covers manual testing with browser developer tools, curl, and other HTTP clients. Basic IDOR testing can be performed with any tool that allows request modification.
Can this skill detect all types of IDOR vulnerabilities?
No. The skill focuses on the most common IDOR patterns (sequential IDs, parameter manipulation). Some advanced IDOR variants like time-based blind IDOR, UUID prediction attacks, or chained vulnerabilities may require additional techniques beyond the scope of this skill.
Is it legal to test applications for IDOR vulnerabilities?
Only with explicit written authorization from the application owner. Unauthorized security testing is illegal in most jurisdictions. This skill should only be used for authorized penetration testing, bug bounty programs, or applications you own.
What should I do if I find an IDOR vulnerability?
Document the finding with screenshots and reproduction steps. Report through responsible disclosure channels: bug bounty programs, security@ email, or direct contact with the application owner. Do not publicly disclose details until the vulnerability is fixed.

Detalhes do Desenvolvedor

Autor

sickn33

Licença

MIT

RepositĂłrio

https://github.com/sickn33/antigravity-awesome-skills/tree/main/web-app/public/skills/idor-testing

ReferĂŞncia

main

Estrutura de arquivos

đź“„ SKILL.md