sast-idor

The sast-idor skill provides a specialized, automated framework for identifying Insecure Direct Object Reference (IDOR) vulnerabilities within software codebases. Designed as part of an agentic security assessment toolkit, it focuses on scenarios where applications fail to properly validate that an authenticated user possesses the necessary ownership or permissions to access, modify, or delete specific objects via user-supplied identifiers. This skill is intended for security engineers, penetration testers, and developers looking to perform deep-dive authorization audits on web applications and APIs.

• Employs a robust three-phase methodology: recon for endpoint discovery, batched verification of authorization logic across parallel subagents, and final result consolidation.

• Specifically targets vulnerabilities where user-supplied IDs, slugs, or file paths allow cross-user data access.

• Identifies missing authorization patterns in common frameworks like Django, Express/Mongoose, Ruby on Rails, Spring Boot, and Laravel.

• Distinguishes genuine IDOR flaws from public resource access or general broken function-level access control.

• Provides clear, actionable remediation guidance by contrasting vulnerable code samples with secure implementations that utilize scope-based queries or explicit ownership checks.

• Prerequisite: Requires a completed sast-analysis to generate the foundational sast/architecture.md file.

• Operational Context: Operates by analyzing routing logic and database query patterns to detect missing 'where' clauses or permission middleware.

• Output: Generates detailed findings in sast/idor-results.md, listing vulnerable endpoints, potential impact, and suggested code-level fixes.

• Workflow Tip: It is highly effective when triggered alongside other SAST skills to provide a comprehensive security posture; however, ensure the architecture mapping is up-to-date to avoid false negatives in dynamic routing scenarios.

• Scope Constraints: Focuses strictly on object-level access control. It does not replace vertical privilege escalation checks or general authentication bypass audits.