ahmad-ubaidillah/IDOR Vulnerability Testing
aizen-gate/skills-reference/.agent/skills/idor-testing/SKILL.md
This skill should be used when the user asks to "test for insecure direct object references," "find IDOR vulnerabilities," "exploit broken access control," "enumerate user IDs or object references," or "bypass authorization to access other users' data." It provides comprehensive guidance for detecting, exploiting, and remediating IDOR vulnerabilities in web applications.
development
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add ahmad-ubaidillah/aizen-gate IDOR Vulnerability TestingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 30, 2026, 9:32 AM56.2s25 files scanned
SKILL.md
- name:
- IDOR Vulnerability Testing
- description:
- This skill should be used when the user asks to "test for insecure direct object references," "find IDOR vulnerabilities," "exploit broken access control," "enumerate user IDs or object references," or "bypass authorization to access other users' data." It provides comprehensive guidance for detecting, exploiting, and remediating IDOR vulnerabilities in web applications.
- author:
- zebbern
- version:
- 4.1.0-fractal
IDOR Vulnerability Testing
Purpose
Provide systematic methodologies for identifying and exploiting Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. This skill covers both database object references and static file references, detection techniques using parameter manipulation and enumeration, exploitation via Burp Suite, and remediation strategies for securing applications against unauthorized access.
Inputs / Prerequisites
- Target Web Application: URL of application with user-specific resources
- Multiple User Accounts: At least two test accounts to verify cross-user access
- Burp Suite or Proxy Tool: Intercepting proxy for request manipulation
- Authorization: Written permission for security testing
- Understanding of Application Flow: Knowledge of how objects are referenced (IDs, filenames)
Outputs / Deliverables
- IDOR Vulnerability Report: Documentation of discovered access control bypasses
- Proof of Concept: Evidence of unauthorized data access across user contexts
- Affected Endpoints: List of vulnerable API endpoints and parameters
- Impact Assessment: Classification of data exposure severity
- Remediation Recommendations: Specific fixes for identified vulnerabilities
Core Workflow
🧠 Knowledge Modules (Fractal Skills)
1. 1. Understand IDOR Vulnerability Types
2. 2. Reconnaissance and Setup
3. 3. Detection Techniques
4. 4. Exploitation with Burp Suite
5. 5. Common IDOR Locations
6. IDOR Testing Checklist
7. Response Analysis
8. Common Vulnerable Parameters
9. Operational Boundaries
10. Detection Challenges
11. Legal Requirements
12. Example 1: Basic ID Parameter IDOR
13. Example 2: IDOR in Address Update Endpoint
14. Example 3: Static File IDOR
15. Example 4: Burp Intruder Enumeration
16. Example 5: Horizontal to Vertical Escalation
17. Issue: All Requests Return 403 Forbidden
18. Issue: Application Uses UUIDs Instead of Sequential IDs
19. Issue: Session Token Bound to User
20. Issue: Rate Limiting Blocks Enumeration
21. Issue: Cannot Verify IDOR Impact
22. Implement Proper Access Control
23. Use Indirect References
24. Server-Side Validation
Related Skills
ahmad-ubaidillah/angular
development
VerifiedTrustedCommunity
Modern Angular (v20+) expert with deep knowledge of Signals, Standalone Components, Zoneless applications, SSR/Hydration, and reactive patterns.
SKILL.mdUpdated Mar 28, 2026
ahmad-ubaidillah/angular-ui-patterns
development
VerifiedTrustedCommunity
Modern Angular UI patterns for loading states, error handling, and data display. Use when building UI components, handling async data, or managing component states.
SKILL.mdUpdated Mar 28, 2026
ahmad-ubaidillah/angular-state-management
tools
VerifiedTrustedCommunity
Master modern Angular state management with Signals, NgRx, and RxJS. Use when setting up global state, managing component stores, choosing between state solutions, or migrating from legacy patterns.
SKILL.mdUpdated Mar 28, 2026
ahmad-ubaidillah/angular-migration
development
VerifiedTrustedCommunity
Migrate from AngularJS to Angular using hybrid mode, incremental component rewriting, and dependency injection updates. Use when upgrading AngularJS applications, planning framework migrations, or ...
SKILL.mdUpdated Mar 28, 2026