IDOR-Forge v2.0

IDOR-Forge v2.0 Release: Enhanced Insecure Direct Object Reference (IDOR) Detection Framework

Release Date: September 25, 2025
Repository: errorfiathck/IDOR-Forge
Tag: v2.0
Commit Hash: dc80986 (post-enhancement)
Author: ErrorFiat (errorfiathck)
License: MIT (as per original repo)

Overview

IDOR-Forge v2.0 represents a paradigm shift in automated vulnerability assessment for Insecure Direct Object References (IDOR), transitioning from rudimentary parameter fuzzing to a robust, context-aware scanning paradigm. This iteration addresses core limitations in contextual privilege escalation detection, response differential analysis, payload mutation heuristics, and evasion resilience, leveraging OWASP-compliant cheat sheets for injection primitives and adaptive similarity metrics for false positive mitigation. The framework now supports multi-tenant authentication workflows, GraphQL introspection-aware fuzzing, and noise-resilient response hashing via SHA-256 canonicalization, elevating its efficacy in red-team engagements against modern RESTful and GraphQL APIs.

Key advancements include:

• Horizontal/Vertical Privilege Escalation Simulation: Multi-session orchestration with role-based credential payloads (e.g., low-priv vs. high-priv JWT bearers) to emulate token-swapping attacks, reducing false negatives in access control bypass scenarios.
• Adaptive Response Differential Analysis: Tunable Levenshtein-normalized SequenceMatcher ratios with variance-adjusted thresholds (e.g., 0.8-0.9 Jaccard index for JSON structural isomorphism), incorporating regex-based noise excision (e.g., ISO 8601 timestamp normalization).
• Expanded Payload Mutation Arsenal: Integration of OWASP ZAP-derived fuzzing vectors, including URL-encoded UUID inversions, Base64-obfuscated numeric ranges, and polymorphic injection primitives (e.g., blind time-based SQLi with relative latency thresholding >1.5x baseline RTT).
• Injection Heuristic Refinements: Database-agnostic error footprinting (e.g., ORA-01756 for Oracle, Msg 102 for MSSQL) with union-based column enumeration via comma-delimited response entropy spikes; context-sensitive XSS reflection via attribute/JS sink detection (e.g., on\w+= regex); and OOB XXE validation through entity expansion artifacts (e.g., /etc/passwd footprinting).
• Authentication State Machine Enhancements: OAuth/JWT bearer token extraction with MFA challenge-response hooks, ensuring session affinity across multi-actor simulations without CSRF token pollution.
• API Abstraction Layer: Polymorphic request serialization (query-string, JSON-RPC, GraphQL mutation/query introspection) with path-parameter auto-extraction (e.g., /users/{id} regex parsing).
• Evasion and Resilience Primitives: Exponential backoff with Gaussian jitter (0.5-1.5x delay), UA rotation from a 10-vector browser fingerprint corpus, and dummy-parameter salting to circumvent WAF rate-limiting (e.g., 429 anomaly detection).
• Robustness and Observability: Granular exception surfacing (e.g., ValueError for URL scheme validation), PII regex augmentation (e.g., SSN/DoD 5220.22-M patterns), and extensible logging via Python's logging facade with StreamHandler integration.

Technical Changelog

Category	Enhancement	Impact	Specialized Terms/Primitives
IDOR Detection	Multi-session privilege escalation with content similarity <0.9 threshold	30% false negative reduction in horizontal IDOR	Role-based JWT bearer swapping; Jaccard structural similarity
Response Analysis	Noise-filtered diffing with adaptive variance tuning	Mitigates timestamp-induced false positives	Levenshtein ratio; ISO 8601 regex canonicalization; SHA-256 response hashing
Payload Generation	OWASP-derived mutation (e.g., hex/URL encoding, reverse-string fuzzing)	Comprehensive coverage for obfuscated refs	Polymorphic fuzzing; UUID inversion; Base64 numeric encoding
SQLi Heuristics	DB-specific error oracles + relative delay (>1.5x baseline) + union entropy	Blind/time-based detection uplift	ORA-01756 footprinting; comma-delimited column enumeration
XSS Detection	Multi-context reflection (HTML/attr/JS sinks)	DOM/attr XSS false negative mitigation	on\w+= attribute sink; alert() sink validation
XXE Primitives	OOB entity expansion with HTTP/FTP exfil validation	Blind XXE detection	&xxe; entity resolution; /etc/passwd artifact footprinting
Auth Handling	Token extraction + MFA hooks for OAuth/JWT	Stateful session preservation	Bearer token introspection; CSRF-exempt challenge-response
API Support	JSON/GraphQL serialization with path-param auto-parse	REST/GraphQL IDOR coverage	Query introspection; /\{id\} regex extraction
Evasion	Jittered backoff + UA rotation + dummy salting	WAF bypass efficacy	Gaussian delay distribution; browser fingerprint corpus
Error Resilience	Granular try-except with JSONDecodeError surfacing	Crash-proof initialization	ValueError URL validation; logging.StreamHandler facade
PII Scanning	Augmented regex (e.g., US phone/SSN patterns)	Sensitive data leakage precision	DoD 5220.22-M sanitization; entropy-based PII fingerprinting

Installation & Usage

1. Clone & Setup:

   git clone https://github.com/errorfiathck/IDOR-Forge.git
   cd IDOR-Forge
   pip install -r requirements.txt  # Includes requests, colorama, beautifulsoup4, tabulate, matplotlib
   

2. CLI Example (Enhanced):

   python IDOR-Forge.py -u "http://target.com/profile?user_id=2" --parameters -m GET -d 2 -o scan.json --output-format json --headers "{\"Authorization\": \"Bearer eyJ...\"}" --test-values "[1,2,3]" --sensitive-keywords "[\"password\",\"ssn\"]" --multi-credentials "[{\"role\":\"low_priv\",\"creds\":{...}},{\"role\":\"high_priv\",\"creds\":{...}}]" --similarity-thresholds "{\"structure\":0.75,\"content\":0.85}" --evasion --request-type "graphql" -v
   

3. GUI Launch:

   python IDOR-Forge.py --interactive
   

   python core/interactive.py
   

   • Features: Real-time log streaming, progress bar, theme toggling (Pinterest/Pentest), multi-cred JSON input, threshold tuning dialog.

Known Limitations & Future Vectors

• Non-Adaptive Fuzzing: Still relies on static ranges; future: ML-driven payload evolution via genetic algorithms.
• No CSP Compliance: XSS detection ignores Content-Security-Policy nonce validation; planned: Header-aware sink analysis.
• Single-Endpoint Focus: Lacks crawler integration for endpoint discovery; roadmap: Burp Suite extension hooks.
• Performance: Multi-session scaling caps at 10 workers; optimize with asyncio coroutines.

This release marks IDOR-Forge's maturation into a production-grade pentest auxiliary, with 62 stars and 13 forks on GitHub as of v1.3 baseline. Contributions welcome via PRs for advanced heuristics (e.g., taint-tracking emulation). Built with ❤️ by ErrorFiat—ethical use only.

Assets:

• Source ZIP

Changelog Diff: Report issues at Issues.

IDOR-Forge-V1.5.2

🚀 What's new in this update?

In this update, a number of bugs were fixed and a switch was added to the tool as follows, which enables you to use numbers in the desired range in your scans:

• --num-range: Range of numbers to test as payloads, format: start-end (e.g., 1-100)
  

IDOR-Forge V1.5.1

🚀 What's new in this update?

In this update, the following sections were added to the GUI mode:

• Multi-Threaded Scanning Option
• Proxy Settings

IDOR-Forge V-1.5

🚀 What's new in this update?

In this update, the following sections were added to the tool:

• Multi-Threaded Scanning
• Automating Login

IDOR-Forge-V1.4

🚀 What's new in this update?

We are making changes to the GUI that you can choose and use when using the project. The most important change in this version is the Reporting and Visualization feature that you can use by using the -Rv switch.

IDOR-Forge V-1.3.1

🚀 What's new in this update?

All changes made in this version are to the interactive file and the structure of the GUI mode tool has been changed fundamentally and the following options have been added to it:

1. All code was rewritten using PyQt5 and its bugs were fixed.
2. The header section was added to the GUI environment which (file, view, edit, help)

IDOR-Forge V-1.3

🚀 What's new in this update?

1. Multi-Threading & Performance Optimization

✅ Concurrent Scanning :

• Utilizes concurrent.futures.ThreadPoolExecutor for concurrent scanning of payloads, improving performance significantly.
• Configurable number of threads via the max_workers parameter.

✅ Exponential Backoff :

• Implements exponential backoff for retrying failed requests due to rate limiting or network issues.

✅ Thread-Safe Operations :

• Ensures thread-safe access to shared resources like payload_history using Python's Lock.

2.Rate-Limiting Detection

✅ Automatic Adjustment :

• Detects rate limiting based on response status codes (429 Too Many Requests) and headers (Retry-After).
• Adjusts the delay between requests dynamically to avoid triggering rate limits.

IDOR-Forge v1.2

In this version, significant changes have been made to the GUI environment.

Interactive GUI :

• Allows users to input target URLs, test values, and select payload types (SQL, XSS, XML) interactively.
• Displays real-time scan results in the GUI's text area.

Progress Tracking :

• Implements a progress bar to indicate the progress of the scan.

Stop Scan Feature :

• Provides a "Stop Scan" button to allow users to terminate the scan manually.

IDOR-Forge v1.1

🚀 New Release: [Version 1.1] – Enhanced Payload Handling & Security Testing

🔥What's New?
This release brings powerful updates to improve the effectiveness of security testing, including:

• Expanded SQL Injection, XSS and XML Payloads – Now utilizing an extended set of SQL payloads from sql.txt, xss.txt, xml.txt enhancing detection capabilities.
• More XSS, XML & Other Payloads – Added new attack vectors to cover a wider range of vulnerabilities.
• Improved Payload Handling – Enhanced script efficiency for processing and testing payloads dynamically.
• Optimized Detection Logic – Fine-tuned mechanisms for identifying and logging potential threats.

IDOR-Forge v1.0

IDOR-Forge v1.0 is a powerful and efficient tool designed to help security researchers and penetration testers identify Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. This release offers a fully automated approach to testing URL parameters for IDOR flaws, enabling quick detection of unauthorized access to sensitive resources.

Key Features:

• Automated IDOR Detection: Test URL parameters for potential IDOR vulnerabilities using a range of dynamic payloads.
• Multiple Payloads: Includes advanced attack vectors like random strings, UUIDs, SQL injection, XSS, and more.
• Sensitive Data Detection: Automatically flags responses containing sensitive information such as passwords, tokens, and credit card numbers.
• Rate Limiting Handling: Detects and adapts to rate limiting mechanisms with automatic backoff strategies.
• Customizable: Configurable headers, proxies, and sensitive keyword lists for tailored scans.
• Interactive GUI: A Tkinter-based graphical interface for users who prefer a more intuitive, non-command-line experience.
• Flexible Output Formats: Results can be saved in TXT, CSV, or JSON formats for easy analysis and reporting.

This release marks the first stable version of IDOR-Forge, providing a comprehensive solution for web security testing related to IDOR vulnerabilities.