IDOR Forge is a powerful and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications.
Note this project is not done...
Instagram page
.
Youtube chanel
.
Twitter page
.
Telegram chanel
Overview
IDOR Forge is a powerful and versatile tool designed to detect Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. IDOR vulnerabilities occur when an application exposes direct references to internal objects (e.g., database keys, file paths) without proper authorization checks, allowing attackers to access unauthorized data. This tool automates the process of identifying such vulnerabilities by dynamically generating and testing payloads, analyzing responses, and reporting potential issues.
-
Dynamic Payload Generation: Tests a wide range of inputs, including numeric values, random strings, and special characters.
-
Multi-Parameter Scanning: Scans all parameters in a URL for potential IDOR vulnerabilities.
-
Support for Multiple HTTP Methods: Tests IDOR vulnerabilities using GET, POST, PUT, and DELETE requests.
-
Concurrent Scanning: Uses multi-threading to speed up the scanning process.
-
Rate Limiting Detection: Automatically detects and handles rate limiting.
-
Customizable Test Values: Allows users to specify custom test values for targeted testing.
-
Sensitive Data Detection: Detects sensitive information in responses using customizable keywords.
-
Proxy Support: Supports the use of proxies for testing through tools like Burp Suite or OWASP ZAP.
-
Interactive GUI Mode: Provides a user-friendly graphical interface for real-time testing.
-
Verbose Mode: Displays detailed output for debugging and analysis.
-
Output Options: Saves results in TXT or CSV format for easy analysis and reporting.
-
Custom Headers: Allows users to add custom headers (e.g., authentication tokens) for testing authenticated endpoints.
-
Session Handling: Uses persistent sessions to maintain cookies and authentication states during testing.
Basic Mode: Displays a summary of captured packets, including:
Prerequisites
-
Python 3.7 or higher.
-
Required libraries: requests, tkinter, concurrent.futures.
Installation Steps
- Clone the repository:
git clone https://github.com/errorfiathck/IDOR-Forge.git
cd IDOR-Forge
Install the required dependencies:
pip install -r requirements.txt
Command-Line Interface (CLI) Basic Usage
python IDOR-Forge.py -u "https://example.com/api/resource?id=1"
Advanced Usage
python IDOR-Forge.py -u "https://example.com/api/resource?id=1" -p -m GET --proxy "http://127.0.0.1:8080" -v -o results.csv --output-format csv
Options
-
-u, --url: Target URL to test for IDOR vulnerabilities.
-
-p, --parameters: Scan all parameters in the URL.
-
-m, --method: HTTP method to use (GET, POST, PUT, DELETE).
-
-d, --delay: Delay between requests (in seconds).
-
-o, --output: Output file to save results.
-
--output-format: Output file format (txt or csv).
-
--headers: Custom headers in JSON format (e.g., '{"Authorization": "Bearer token"}').
-
--proxy: Proxy URL (e.g., http://127.0.0.1:8080).
-
-v, --verbose: Enable verbose mode for detailed output.
-
--test-values: Custom test values in JSON format (e.g., '[1, 2, 3, 4, 5]').
-
--sensitive-keywords: Custom sensitive keywords in JSON format (e.g., '["password", "email"]').
-
--interactive: Launch interactive GUI mode.
python idor_hunter.py --interactive
Terminal Output (Verbose Mode):
Scanning parameter: id
Testing payload: {'id': 1}
Status Code: 200
Response Content: {"data": "sensitive_data"}...
Sensitive data detected!
----------------------------------------
Testing payload: {'id': 2, 'random_str': 'aBcDeFgHiJ'}
Status Code: 403
Response Content: {"error": "Forbidden"}...
----------------------------------------
File Output (results.csv):
Payload,Status Code,Response Content,Sensitive Data Detected
"{'id': 1}",200,"{"data": "sensitive_data"}",True
"{'id': 2, 'random_str': 'aBcDeFgHiJ'}",403,"{"error": "Forbidden"}",False
Contributions are welcome! Please follow these steps:
-
Fork the repository.
-
Create a new branch for your feature or bug fix.
-
Submit a pull request with a detailed description of your changes.
-
Comprehensive Testing: Covers a wide range of payloads and scenarios.
-
User-Friendly: Offers both CLI and GUI modes for flexibility.
-
Efficient: Uses concurrent scanning to save time.
-
Customizable: Allows users to tailor the tool to their specific needs.
If you encounter any issues or have questions, feel free to open an issue on GitHub or contact the maintainers.
-
Inspired by the OWASP Top 10 and the need for robust security testing tools.
-
Built with ❤️ by [ErrorFiat].