This skill provides a rigorous process for hunting BOLA (Broken Object Level Authorization) and IDOR (Insecure Direct Object Reference) vulnerabilities. It focuses on identifying where servers fail to verify if a user owns the resource they are requesting.
Activate this skill when testing APIs or web applications that use resource identifiers (numeric IDs, UUIDs) in URLs or request bodies, especially when auditing user-scoped data or administrative endpoints.
ffuf, curl, and recommendations for Burp Suite (Autorize extension).Optimized for agents assisting in bug bounty hunting or security research using tools like Burp Suite, curl, or ffuf (e.g., Claude Code).
This skill has not been reviewed by our automated audit pipeline yet.