A Bash script designed to automate the testing for IDOR vulnerabilities by fuzzing parameters through GET or POST requests, supporting both numerical ranges and file lists for input.
Introduction:
- This script is designed to automate testing for Insecure Direct Object Reference (IDOR) vulnerabilities.
- It supports both GET and POST requests and allows for fuzzing parameters using a range of values or a predefined list.
Prerequisites:
- Bash environment (Linux/Unix or Windows Subsystem for Linux)
curl
installed and accessible from the command line
Usage Instructions:
-
Setting Up:
- Clone or download this script to your local machine.
- Ensure it is executable:
chmod +x IDORFuzzer.sh
-
Running the Script:
- Execute the script by typing
./IDORFuzzer.sh
in your terminal. - Follow the on-screen prompts to input your test parameters.
- Execute the script by typing
-
Input Parameters:
- URL: The base URL you wish to test for IDOR vulnerabilities.
- HTTP Method: Choose between GET or POST method for the requests.
- Directory: The directory to search (e.g., 'uploads'), omitting the forward slash '/'.
- Parameter Name: The parameter you wish to fuzz (e.g., 'uid'), omitting the equals '='.
- Range/File List: Choose between using a numerical range (R) or a file list (F) for fuzzing the parameter.
-
Output:
- The script attempts to identify and download resources exposed due to IDOR vulnerabilities.
- Downloaded resources are saved in the script's running directory.
Note:
- Always use this script with permission on target domains to avoid unauthorized access and potential legal issues.
- The effectiveness of the script depends on the correctness of the inputs and the specific configurations of the target application.
Contributing:
- Contributions to enhance this script are welcome. Please fork the repository, make your changes, and submit a pull request.
License:
- This script is provided "as is", without warranty of any kind. Use at your own risk.
Disclaimer:
- This tool is intended for educational and ethical testing purposes only. The author is not responsible for any misuse or damage caused by this tool.