Skills
.Work. You
Rest

graphql-idor

Community

Find GraphQL IDOR and auth bypasses fast.

Software Engineering#authorization#jwt#graphql#introspection#vulnerability-testing#idor#batch-enumeration
Authorcuongnguyen-git
Version1.0.0
Installs0

System Documentation

What problem does it solve?

This Skill helps you detect GraphQL authorization failures where a user can access or mutate data they don’t own, including IDOR-style horizontal privilege escalation and risky client-controlled arguments.

Core Features & Use Cases

  • Introspection probing to learn the available schema and operations while respecting the workflow’s guardrails.
  • Authentication boundary testing to compare unauthenticated, baseline authorized, and cross-user access behavior for queries and mutations.
  • Client-controlled ID argument checks to validate whether parameters like userId or resource IDs are properly constrained server-side.
  • Batch enumeration checks to determine whether a single query leaks data across users.
  • Unauthed mutation attempts to catch overly permissive mutation endpoints.

Quick Start

Run the graphql-idor skill against your in-scope GraphQL endpoint (or a path to your recon/target directory) and provide any required Authorization Bearer header so it can test authorization boundaries and validate suspected IDOR behavior.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: graphql-idor
Download link: https://github.com/cuongnguyen-git/bug-bounty/archive/main.zip#graphql-idor

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.