ghostonbutterbread/idor
skills/idor/SKILL.md
Use when testing Insecure Direct Object Reference, IDOR, broken object-level authorization, cross-account access, tenant isolation, user ID tampering, or resource ownership checks.
testing
Updated Jun 12, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness idorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 12, 2026, 2:40 AM21.2s1 file scanned
SKILL.md
- name:
- idor
- description:
- Use when testing Insecure Direct Object Reference, IDOR, broken object-level authorization, cross-account access, tenant isolation, user ID tampering, or resource ownership checks.
IDOR Testing
Test for Insecure Direct Object Reference vulnerabilities.
For broader broken access control work, start with /access-control. Use /idor when the observed surface is specifically object-level authorization, BOLA, cross-account object access, tenant/object ID swapping, or hidden object handles.
Required Preflight
Read shared state in this order before testing:
/account-managementregistry at$HARNESS_SHARED_BASE/{program}/credentials/account_inventory.jsonnotes/summary.mdnotes/observations.mdchecklist.md(IDOR items only)todo.md(IDOR items only)
Use the registry to identify owned account aliases, user IDs, PwnFox colors, resource IDs, owner relationships, and destructible/cleanup status before swapping any object identifier.
Primary Harness
Use agents/bypass_harness.py in --type idor mode for first-pass ID swapping and header-trick coverage. Expand manually for multi-step workflows, write actions, and role-bound objects once you identify a promising reference.
python agents/bypass_harness.py --target https://target.com/api/v1/orders/123 \
--type idor --program target --concurrency 5 --rps 2
Mode Matrix
| Mode | Use When | What It Tests |
|------|----------|---------------|
| horizontal-read | One user can see another user's object | Read access control on object fetches |
| horizontal-write | Mutable resources exist | Update or delete authorization on peer objects |
| vertical | Admin or privileged resources are exposed via IDs | Role boundary enforcement |
| workflow | IDs appear across multi-step flows | Ownership checks at each transition |
Primary Commands
# Path-based ID swapping
python agents/bypass_harness.py --target https://target.com/api/v1/orders/123 \
--type idor --program target --concurrency 5 --rps 2
# Query-parameter ID swapping
python agents/bypass_harness.py --target https://target.com/api/v1/order?id=123 \
--type idor --program target --concurrency 5 --rps 2
CLI Notes
agents/bypass_harness.py
| Option | Description |
|--------|-------------|
| --target, -t | Target URL (required) |
| --type, -T | Use idor |
| --program | Program name for shared storage |
| --output-dir, -o | Override raw artifact directory |
| --timeout | Request timeout in seconds |
| --concurrency, -c | Max parallel requests |
| --rps | Requests per second |
| --verbose, -v | Verbose debug output |
| --quiet, -q | Show hits only |
Files
- Playbook:
$HARNESS_ROOT/prompts/idor-playbook.md - Shared Root:
$HARNESS_SHARED_BASE/{program}/agent_shared/ - IDOR Findings:
$HARNESS_SHARED_BASE/{program}/agent_shared/findings/idor/findings.md - Bypass Artifacts:
$HARNESS_SHARED_BASE/{program}/agent_shared/findings/bypass/
Workflow
- Complete the required preflight reads in shared state order.
- Read
prompts/access-control-context-pack.mdif the request is broader than direct object references. - Read
prompts/idor-playbook.md. - Run
agents/bypass_harness.pyin--type idormode for first-pass coverage. - Confirm promising cases manually with baseline captures and multi-account comparison from
/account-managementowned records. - Write findings to
agent_shared/findings/idor/findings.md. - Record newly observed owned IDs/resources in
/account-management. - Update IDOR entries in
checklist.md,todo.md, and relevant notes.
Related Skills
ghostonbutterbread/request-exploration
testing
VerifiedTrustedCommunity
Systematic live request mutation: flip booleans, field ops, headers, content-type, parser differentials, replay vs intercept, null/empty testing. Inherits live-testing-policy scope/rate/ownership rules.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/password-reset
development
VerifiedTrustedCommunity
Test password reset, forgot-password, reset-token, email reset, and account recovery flows for account takeover risks.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/intelligent-fuzzing
tools
VerifiedTrustedCommunity
Targeted param/field discovery using tech stack clues, naming conventions, and controlled-rate ffuf — then feeds findings into request-exploration for mutation. Not brute-force; informed and scoped.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/create-account
testing
VerifiedTrustedCommunity
Ghost-only workflow for creating approved bug bounty test accounts and saving credential references.
SKILL.mdUpdated Jun 13, 2026