orm-filter-data-leak

Official

Exploit ORM filters to leak joined table data

Authordreadnode
Version1.0.0
Installs0

System Documentation

What problem does it solve?

Web applications using ORMs often expose search and filter endpoints that allow attackers to traverse relationships between database tables, accessing sensitive data from joined models that should not be publicly available, resulting in unintended data leaks.

Core Features & Use Cases

  • ORM Filter Syntax Detection: Identifies common ORM filter patterns including double underscores, dot notation, and nested object syntax in endpoint parameters.
  • Relationship Traversal Probes: Provides pre-built payloads to test traversal of model relationships and access fields from related tables.
  • Use Case: A red teamer testing a Django user management API can use this skill to check if the /api/users endpoint allows accessing sensitive SSN fields from user profile models via filters like profile__ssn__startswith=1.

Quick Start

Use the orm-filter-data-leak skill to test the /api/users endpoint for sensitive data leaks by sending filter payloads that traverse user profile relationships to access hidden SSN fields.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: orm-filter-data-leak
Download link: https://github.com/dreadnode/capabilities/archive/main.zip#orm-filter-data-leak

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 537,000+ vetted skills library on demand.