idor-broken-object-authorization

What problem does it solve?

Provides a systematic playbook to discover and validate insecure direct object references, broken object-level authorization (BOLA), and related function-level flaws across web and API surfaces so testers stop missing high-impact, low-noise vulnerabilities.

Core Features & Use Cases

• Comprehensive discovery methodology: A-B testing workflow to compare requests between accounts, mapping all locations where object IDs appear (path, query, body, headers, cookies, GraphQL args, WebSockets).
• Multi-vector exploitation checklist: HTTP verb escalation, parameter pollution, type confusion, mass-assignment, state-machine abuse, indirect IDOR via reference chains, and nested/sub-resource attacks.
• Backend-specific techniques: Guidance for ORM filter-injection (Django, Prisma, Ransack) and predictable UUID/ID enumeration to extract or manipulate data.
• Use Cases: Bug bounty reports, penetration tests, API security reviews, CTF challenges, and defensive audits to harden authorization logic.

Quick Start

Create two accounts, perform all actions as AccountA while capturing requests, then replay those requests as AccountB to determine if AccountB can read or modify AccountA's resources.