exploiting-idor-vulnerabilities

What problem does it solve?

Identifies and confirms Insecure Direct Object Reference (IDOR) weaknesses that allow attackers to access or modify resources by manipulating object identifiers, helping teams detect missing object-level authorization in APIs and web applications.

Core Features & Use Cases

• Mapping & Enumeration: Discover endpoints and predictable ID patterns (numeric IDs, UUIDs, slugs) across an application to identify enumeration opportunities.
• Cross-Session Comparison: Replay requests across multiple authenticated sessions to detect horizontal and vertical IDOR via response comparison.
• Write & Vertical Tests: Validate write-based IDOR (PUT/DELETE) and attempts to access admin/elevated endpoints with lower-privileged credentials.
• Tooling Integration & Reporting: Works with Burp Suite, ffuf, curl, and includes a Python agent to automate tests and produce structured reports.
• Use Case: Use during authorized penetration tests or bug bounty assessments to prove object-level authorization failures and gather reproducible evidence for remediation.

Quick Start

Run the exploiting-idor-vulnerabilities agent against a staging API using two authenticated accounts to enumerate object IDs and verify access controls.