一键在 Manus 中运行任何 Skill

$pwd:

idor-blast-radius

Name: Idor Blast Radius
Author: vigolium

// When you find an Insecure Direct Object Reference (a URL/body parameter that lets you read or write another user's object), quantify the blast radius — how many records reachable, what data class, whether write is also unauthorized — and persist a finding sized by real impact rather than by the existence of the flaw. Use when an ID parameter (numeric, UUID, hash, slug) changes the response content across IDs, when CWE-639/CWE-284 was flagged, or when an audit finding hints at object-level access control gaps.

在 Manus 中运行

$ git log --oneline --stat

stars:586

forks:90

updated:2026年5月23日 16:43

SKILL.md

readonly

name	idor-blast-radius
description	When you find an Insecure Direct Object Reference (a URL/body parameter that lets you read or write another user's object), quantify the blast radius — how many records reachable, what data class, whether write is also unauthorized — and persist a finding sized by real impact rather than by the existence of the flaw. Use when an ID parameter (numeric, UUID, hash, slug) changes the response content across IDs, when CWE-639/CWE-284 was flagged, or when an audit finding hints at object-level access control gaps.
license	MIT
allowed-tools	["query_records","inspect_record","replay_request","report_finding","update_finding","remember","update_plan"]

IDOR → Blast-Radius Sizing

You have an IDOR candidate: an endpoint where flipping an ID parameter returns a different object than the one you own. Your job is to size the impact (how many objects reachable, what data class, read vs write) and persist a finding that reflects real severity, not theoretical.

When this skill applies

A URL path or query param looks like /users/{id}, /orders/{id}, /files/{uuid}, /exports/{slug} — and changing the ID changes the response in a way the auth context shouldn't allow.
Two different sessions return the same object when the ID matches — i.e., the server doesn't filter by current_user.
CWE-639 / CWE-284 / "BOLA" / "Broken Object Level Authorization" in an audit finding.

Don't run this on endpoints that are intentionally cross-user public (/users/{id}/profile is sometimes public; check before claiming).

Workflow

1. Confirm the IDOR is unauthorized

Two probes via replay_request on the suspect record:

Replay with your own ID + your own session → baseline.
Replay with a neighboring ID (your_id ± 1, or another known ID from query_records) + your own session → if the response is a different object's data (different email, different content), the IDOR exists.

If the second probe returns 403/404, the auth check works; this isn't IDOR. Move on.

2. Classify the ID space

Look at the IDs you've seen across query_records for this endpoint:

Sequential numeric (1, 2, 3, 5, 6...): full enumeration trivial.
Sequential numeric with gaps (1004, 1009, 1011...): still trivial, just probe a range.
UUID v4 (a1b2c3d4-...): not enumerable from outside — need a source of IDs. Check if any endpoint leaks them (a list endpoint, a comment thread, a referer header).
Short hash (a3f9, 7c2k): probably enumerable; collisions are the harder constraint than auth.
Slug (order-john-2024-001): semi-predictable; try permutations.

remember the ID format as idor-id-space.

3. Size — don't enumerate all

Sample, don't crawl. Probe 20-50 IDs maximum chosen to cover the space:

10 IDs near yours (your_id ± 5).
10 IDs near the low end (1-10 if numeric).
10 IDs near a high end you can estimate.

Count, per response code, how many returned someone else's data. Project the total: if 28/30 sampled IDs returned a valid record, and IDs run 1-50000, the blast radius is "all 50k users". State the projection in the finding, not a literal 50000 requests.

remember the count as idor-reachable.

4. Determine data class

For 1-3 of the leaked records, note what data is exposed. Categorize:

PII (email, name, address, phone, DOB) — minimum severity high.
Credentials (password hash, API key, session token) — critical.
Financial (account balance, payment method, transaction history) — critical.
Content (private messages, files, drafts) — high.
Metadata only (created_at, IDs) — medium.

5. Check the write path

Try PUT / POST / PATCH / DELETE with the same other-user ID and the same body the legitimate user would send. Do not destructively modify. If PUT /users/{other_id} {role: "admin"} returns 200, that's the write path proven — note it, do NOT actually elevate.

Read-IDOR is high; write-IDOR is critical. Read-IDOR-to-admin-write is "contact the customer ASAP" critical.

6. Persist the finding

report_finding:

severity: based on (data class) × (read|write) — see the table above.
title: include the endpoint, the ID type, and the blast: "IDOR on GET /api/orders/{id} reads all 12k+ orders; sequential numeric ID".
cwe_id: CWE-639.
description: 3-4 sentences — the endpoint, the IDs probed, the count reached, the data class observed, whether write is also affected.
Include 1 sample row from another user (masked: ***@***).

Pitfalls

Don't paste 50 real emails / names / records into the finding. One masked sample is enough; the count + projection is what matters.
A 200 with empty body is not a leak — check the body for actual other-user data.
"I got data" + "I'm an admin in this app" = not IDOR; you're allowed to see it. Make sure your session is a regular user role.
Some APIs return 200 with {error: "not found"} for IDs you don't own — that's the auth check working. Read the body before claiming.
Cross-tenant IDOR (tenant boundary, not user boundary) is the worst flavor; flag it explicitly in the title.

Output expectations

One finding per IDOR pattern (not per ID probed).
A remember note with the canonical proof request and projection.
Plan item marked done.

related-skills.json

同仓库

audit-auth.md

from "vigolium/vigolium"

Audit authentication and session-management code for common issues — weak JWT config, session fixation, password-handling flaws, insecure cookies, broken OAuth flows, and missing auth checks on routes. Use when the user asks to review auth code or when source-aware scanning targets login/session/token handling.

2026-05-23586

command-injection-rce.md

from "vigolium/vigolium"

Turn suspected OS command injection (a parameter that lands in a shell or a child process) into proof of remote code execution via an OAST callback, plus one safe demonstration of follow-on impact (read a file, list users, env dump). Use when a parameter feeds an exec/spawn/system call, when payloads with $(), `` ` ``, `;`, `|`, `&&` cause response differences, or when audit flags CWE-78 / CWE-77. Never sends destructive commands.

2026-05-23586

escalate-auth-bypass.md

from "vigolium/vigolium"

Turn a suspected or confirmed authentication/authorization bypass into impact — admin access, session takeover, privilege escalation, or cross-tenant read. Use when you find a missing auth check on a route, a weak JWT verifier, a session cookie that's predictable or reusable across users, a privilege field client-controllable, or an audit finding tagged CWE-287/CWE-863/CWE-639. Walks from probe to admin-equivalent capability and persists a finding with the highest-impact action you reached.

2026-05-23586

sqli-to-data-exfil.md

from "vigolium/vigolium"

Escalate a suspected or confirmed SQL injection into proof-level data exfiltration. Use when you spot an SQL error in a response, a record from a prior scan flagged a SQLi pattern, or boolean/time differentials indicate the payload reaches the query parser. Walks from probe → confirm → enumerate → exfil with payload-class-aware techniques (in-band, blind boolean, blind time, blind OAST) and ends by persisting a concrete finding with the leaked sample.

2026-05-23586

ssrf-to-internal-service-breach.md

from "vigolium/vigolium"

Escalate a suspected or confirmed Server-Side Request Forgery into proof of internal-service access — cloud metadata, internal-only APIs, database greetings, or redacted-but-fetchable HTTP. Use when a parameter takes a URL (image proxy, webhook, fetcher, URL preview, PDF render) and the server reaches outbound on your behalf, or when an audit finding tags CWE-918. Confirms reachability via OAST, then walks targeted internal endpoints, ending with a finding sized by the highest-value asset reached.

2026-05-23586

triage-finding.md

from "vigolium/vigolium"

Deduplicate, prioritize, and sanity-check a list of raw scanner findings. Use after a dynamic scan completes or when the user asks to review a findings dump. Produces a triaged list with severity adjustments, false-positive calls, and exploitability notes.

2026-05-23586

package.json

"author": "vigolium"

"repository": "vigolium/vigolium"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

信息安全分析师计算机与数学类职业15-1212L4

name	idor-blast-radius
description	When you find an Insecure Direct Object Reference (a URL/body parameter that lets you read or write another user's object), quantify the blast radius — how many records reachable, what data class, whether write is also unauthorized — and persist a finding sized by real impact rather than by the existence of the flaw. Use when an ID parameter (numeric, UUID, hash, slug) changes the response content across IDs, when CWE-639/CWE-284 was flagged, or when an audit finding hints at object-level access control gaps.
license	MIT
allowed-tools	["query_records","inspect_record","replay_request","report_finding","update_finding","remember","update_plan"]

IDOR → Blast-Radius Sizing

When this skill applies

A URL path or query param looks like /users/{id}, /orders/{id}, /files/{uuid}, /exports/{slug} — and changing the ID changes the response in a way the auth context shouldn't allow.
Two different sessions return the same object when the ID matches — i.e., the server doesn't filter by current_user.
CWE-639 / CWE-284 / "BOLA" / "Broken Object Level Authorization" in an audit finding.

Don't run this on endpoints that are intentionally cross-user public (/users/{id}/profile is sometimes public; check before claiming).

Workflow

1. Confirm the IDOR is unauthorized

Two probes via replay_request on the suspect record:

Replay with your own ID + your own session → baseline.
Replay with a neighboring ID (your_id ± 1, or another known ID from query_records) + your own session → if the response is a different object's data (different email, different content), the IDOR exists.

If the second probe returns 403/404, the auth check works; this isn't IDOR. Move on.

2. Classify the ID space

Look at the IDs you've seen across query_records for this endpoint:

Sequential numeric (1, 2, 3, 5, 6...): full enumeration trivial.
Sequential numeric with gaps (1004, 1009, 1011...): still trivial, just probe a range.
UUID v4 (a1b2c3d4-...): not enumerable from outside — need a source of IDs. Check if any endpoint leaks them (a list endpoint, a comment thread, a referer header).
Short hash (a3f9, 7c2k): probably enumerable; collisions are the harder constraint than auth.
Slug (order-john-2024-001): semi-predictable; try permutations.

remember the ID format as idor-id-space.

3. Size — don't enumerate all

Sample, don't crawl. Probe 20-50 IDs maximum chosen to cover the space:

10 IDs near yours (your_id ± 5).
10 IDs near the low end (1-10 if numeric).
10 IDs near a high end you can estimate.

remember the count as idor-reachable.

4. Determine data class

For 1-3 of the leaked records, note what data is exposed. Categorize:

PII (email, name, address, phone, DOB) — minimum severity high.
Credentials (password hash, API key, session token) — critical.
Financial (account balance, payment method, transaction history) — critical.
Content (private messages, files, drafts) — high.
Metadata only (created_at, IDs) — medium.

5. Check the write path

Read-IDOR is high; write-IDOR is critical. Read-IDOR-to-admin-write is "contact the customer ASAP" critical.

6. Persist the finding

report_finding:

severity: based on (data class) × (read|write) — see the table above.
title: include the endpoint, the ID type, and the blast: "IDOR on GET /api/orders/{id} reads all 12k+ orders; sequential numeric ID".
cwe_id: CWE-639.
description: 3-4 sentences — the endpoint, the IDs probed, the count reached, the data class observed, whether write is also affected.
Include 1 sample row from another user (masked: ***@***).

Pitfalls

Don't paste 50 real emails / names / records into the finding. One masked sample is enough; the count + projection is what matters.
A 200 with empty body is not a leak — check the body for actual other-user data.
"I got data" + "I'm an admin in this app" = not IDOR; you're allowed to see it. Make sure your session is a regular user role.
Some APIs return 200 with {error: "not found"} for IDs you don't own — that's the auth check working. Read the body before claiming.
Cross-tenant IDOR (tenant boundary, not user boundary) is the worst flavor; flag it explicitly in the title.

Output expectations

One finding per IDOR pattern (not per ID probed).
A remember note with the canonical proof request and projection.
Plan item marked done.

idor-blast-radius

IDOR → Blast-Radius Sizing

When this skill applies

Workflow

1. Confirm the IDOR is unauthorized

2. Classify the ID space

3. Size — don't enumerate all

4. Determine data class

5. Check the write path

6. Persist the finding

Pitfalls

Output expectations

同仓库更多 Skills

IDOR → Blast-Radius Sizing

When this skill applies

Workflow

1. Confirm the IDOR is unauthorized

2. Classify the ID space

3. Size — don't enumerate all

4. Determine data class

5. Check the write path

6. Persist the finding

Pitfalls

Output expectations

同仓库更多 Skills