cyberneticlibrary
← library

Detect IDOR vulnerabilities

sast-idorskillsetup L30
reasonless-throne486/sast-skills
What it does

Detect Insecure Direct Object Reference vulnerabilities

Best for

Finding authorization gaps where IDs are trusted directly without ownership verification

Inputs
  • · Codebase under analysis
  • · sast/architecture.md (prerequisite)
Outputs
  • · sast/idor-results.md with findings
  • · User-controlled ID references and access checks
Preconditions
  • · sast/architecture.md must exist
  • · Source code accessible
Failure modes
  • · Implicit authorization misses checks
  • · Cross-tenant access control issues missed
  • · Cached authorization state causes false negatives
Trust signals
  • · Three-phase: discovery + batched verify + merge
  • · Identifies missing auth checks on ID parameters
  • · Covers multi-tenant boundary violations