What is an IDOR vulnerability?

Insecure Direct Object Reference (IDOR) occurs when an application provides direct access to objects based on user-supplied input without performing an adequate authorization check.

Can this skill help with API security audits?

Absolutely. It covers common API patterns including RESTful parameters, JSON request bodies, and switching between different HTTP methods to bypass protections.

Does this skill work with automated security tools?

Yes, it provides specific instructions and workflows for integrating with proxy tools like Burp Suite for automated enumeration and manual request manipulation.

Is this suitable for testing applications that use UUIDs?

Yes, it includes advanced techniques for discovering and testing UUID/GUID references which are frequently used to obfuscate predictable object IDs.

How can I prevent IDOR vulnerabilities in my code?

The skill provides remediation guidance such as implementing robust server-side access control checks for every request and using indirect or session-bound references.

IDOR Vulnerability Testing

Name: IDOR Vulnerability Testing
Author: zebbern

byzebbern

•

2,883

•

보안 및 테스팅

Conducts systematic security audits to identify and mitigate Insecure Direct Object Reference (IDOR) vulnerabilities in web applications and APIs.

This skill provides a comprehensive framework for security professionals and developers to detect, exploit, and remediate IDOR vulnerabilities. It covers a wide range of attack vectors including database object references, static file enumeration, and manipulation of RESTful API endpoints. By utilizing detailed methodologies for parameter manipulation, HTTP method switching, and automated Burp Suite techniques, users can rigorously test authorization boundaries and ensure robust data protection across multi-user environments. It also includes specific remediation guidance to help developers implement secure access control patterns.

주요 기능

01Detailed troubleshooting guides for bypassing common defenses like UUIDs and rate limiting

02Advanced manipulation techniques including HTTP method switching and parameter pollution

03Systematic methodologies for detecting IDOR in URLs, request bodies, and headers

04Automated enumeration workflows using industry-standard tools like Burp Suite Intruder

05Actionable remediation strategies and code-level fixes for developers

062,883 GitHub stars

사용 사례

01Auditing API endpoints to ensure users cannot access or modify other users' data

02Performing security penetration tests on web applications to find authorization bypasses

03Implementing defensive coding patterns to prevent broken access control during the development lifecycle

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add zebbern/claude-code-guide idor-testing

For use in Claude.ai and ChatGPT

Download Skill