Authz Bypass Hunter

Name: Authz Bypass Hunter
Author: majiayu000

ASecurity

Hunt for authorization bypass vulnerabilities including IDOR, privilege escalation, missing access controls, broken object-level authorization. Use when auditing authentication/authorization code or API endpoints.

370 stars

0 votes

0 copies

0 views

Added 6/3/2026

securitypythonrustbashapidatabase

Works with

cliapi

Security Analysis

A100/100

Scanned 6/3/2026

Install via CLI

$openskills install majiayu000/claude-skill-registry

SKILL.md

---
name: authz-bypass-hunter
description: Hunt for authorization bypass vulnerabilities including IDOR, privilege escalation, missing access controls, broken object-level authorization. Use when auditing authentication/authorization code or API endpoints.
---

# Authorization Bypass Hunter

## Purpose

Systematically identify authorization vulnerabilities: IDOR, privilege escalation, broken access control, missing permission checks, role confusion, and horizontal/vertical privilege escalation.

## Focus Areas

- **IDOR (Insecure Direct Object References)**: User-controllable IDs accessing other users' data
- **Broken Object Level Authorization (BOLA)**: API endpoints not validating resource ownership
- **Broken Function Level Authorization (BFLA)**: Admin functions accessible to regular users
- **Missing Access Controls**: Endpoints without any authorization checks
- **Role/Permission Confusion**: Inconsistent role checks across code paths
- **JWT/Session Issues**: Token manipulation, session fixation

## Audit Checklist

### 1. Identify Authorization Entry Points
```
- API endpoints with resource IDs (/api/user/{id}, /api/order/{id})
- Query parameters (userId=, accountId=, orderId=)
- Request body fields controlling resource access
- File paths/names in requests
- GraphQL queries with object references
```

### 2. Check for Missing Checks
```
Look for patterns:
- Direct database queries without user filter
- Fetching resource by ID only (not ownership)
- Missing @authorize, @permission decorators
- Inconsistent middleware application
```

### 3. Verify Ownership Validation
```
VULNERABLE:
  order = Order.find(params[:id])  # No user check!

SECURE:
  order = current_user.orders.find(params[:id])  # Scoped to user
```

## Output Format

When you find authorization issues, report as:

```yaml
findings:
  - title: "IDOR in GET /api/users/{id}/profile"
    severity: high
    attack_scenario: "Authenticated user changes {id} parameter to access other users' profiles"
    preconditions: "Valid session required"
    reachability: auth_required
    impact: "Unauthorized access to PII of any user"
    confidence: high
    cwe_id: "CWE-639"
    affected_assets:
      - "/api/users/{id}/profile"
      - "src/controllers/user_controller.rs:42"
    taint_path: "request.params['id'] -> User.find(id) -> response"
```

## Key Patterns to Hunt

### Missing User Scope (Most Common)
```rust
// VULNERABLE - no ownership check
pub async fn get_order(id: i32) -> Order {
    Order::find(id).await
}

// SECURE - scoped to user
pub async fn get_order(user: User, id: i32) -> Order {
    Order::find_by_user(user.id, id).await
}
```

### Inconsistent Role Checks
```python
# VULNERABLE - role checked in UI but not API
@app.route('/admin/users')  # No @admin_required!
def list_users():
    return User.all()
```

### Parameter Pollution
```
# If both accepted, which wins?
GET /api/profile?userId=1001&userId=1000
```

### HTTP Method Bypass
```
GET /api/admin/users/1000 → 403 Forbidden
POST /api/admin/users/1000 → 200 OK  # Vulnerable!
```

## Severity Guidelines

| Pattern | Severity |
|---------|----------|
| IDOR to admin data | Critical |
| IDOR to PII | High |
| IDOR to non-sensitive data | Medium |
| Missing role check (admin functions) | Critical |
| Missing role check (user functions) | High |
| Horizontal privilege escalation | High |
| Vertical privilege escalation | Critical |

## KYCo Integration

Register authorization bypass findings using the kyco CLI:

### 1. Check Active Project
```bash
kyco project list
```

### 2. Register Finding
```bash
kyco finding create \
  --title "IDOR in GET /api/users/{id}/profile" \
  --project PROJECT_ID \
  --severity high \
  --cwe CWE-639 \
  --attack-scenario "Authenticated user changes {id} parameter to access other users' profiles" \
  --impact "Unauthorized access to PII of any user" \
  --assets "/api/users/{id}/profile,src/controllers/user_controller.rs:42"
```

### 3. View in Kanban
```bash
kyco gui  # Opens GUI with Kanban board
kyco finding list --project PROJECT_ID  # CLI listing
```

### Common CWE IDs for Authorization Issues
- CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
- CWE-862: Missing Authorization
- CWE-863: Incorrect Authorization
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization

Authz Bypass Hunter

Works with

Security Analysis

Attribution

Comments (0)