This is a comprehensive IDOR and broken object authorization testing playbook that goes well beyond the typical "increment the ID parameter" advice. It systematically covers A-B testing methodology, all the places object IDs hide (headers, cookies, GraphQL args, WebSocket messages), HTTP method escalation, and the crucial distinction between BOLA (accessing objects you don't own) and BFLA (accessing admin functions). The indirect IDOR section on reference chains and the mass assignment attacks are especially useful for finding non-obvious authorization bugs. Load this when you're testing anything with user data isolation, multi-tenant systems, or APIs that expose resource identifiers.
npx skills add https://github.com/yaklang/hack-skills --skill idor-broken-object-authorization