IDOR and broken object authorization testing playbook. Use when requests expose object identifiers, tenant boundaries, writable fields, or missing object-level…
SKILL: IDOR / Broken Object Level Authorization — Expert Attack Playbook AI LOAD INSTRUCTION: IDOR is the #1 bug bounty finding. This skill covers non-obvious IDOR surfaces, all attack vectors (not just URL params), A-B testing methodology, BOLA vs BFLA distinction, chaining IDOR to higher impact, and what testers repeatedly miss. 1. IDOR vs BOLA vs BFLA Term Meaning Impact IDOR Insecure Direct Object Reference Read/modify other users' data BOLA Broken Object Level Authorization (OWASP API Top 10 A1) Same as IDOR, API terminology BFLA Broken Function Level Authorization Low-priv user accesses HIGH-PRIV functions (e.g., admin endpoints) Key distinction: BOLA = accessing object you shouldn't own (data belonging to other users) BFLA = accessing function you shouldn't be authorized for (admin CRUD operations, bulk actions, user management)
don't have the plugin yet? install it then click "run inline in claude" again.