Cylinder is a sophisticated cybersecurity tool for identifying IDOR vulnerabilities during bug bounty hunting
- 🔍 Multi-Vector Detection - Tests for multiple IDOR vulnerability types
- 🔄 Parameter Pollution - Advanced parameter manipulation techniques
- 📡 API Endpoint Discovery - Automatically finds potential vulnerable endpoints
- 🔐 JWT Token Analysis - Identifies flaws in JWT implementation
- ⚡ Race Condition Testing - Detects timing-based access control issues
- 🔗 GraphQL Vulnerability Detection - GraphQL-specific IDOR testing
- 🛠️ Mass Assignment Testing - Detects object property manipulation flaws
- 📊 Comprehensive Reporting - Detailed vulnerability reports in JSON format
Python 3.8+
requests
rich
# Clone this repository
git clone https://github.com/yourusername/idor-scanner.git
# Navigate to the project
cd idor-scanner
# Install requirements
pip install -r requirements.txtpython idor_scanner.py -u https://target-website.com -c "session=abc123" -v -o results.json| Option | Description |
|---|---|
-u, --url |
Target URL (required) |
-c, --cookies |
Cookies for authenticated testing |
-H, --headers |
Custom HTTP headers |
-i, --ids |
Test IDs (comma-separated) |
-v, --verbose |
Enable detailed output |
-t, --timeout |
Request timeout in seconds |
-p, --proxy |
HTTP/HTTPS proxy (e.g. Burp Suite) |
-o, --output |
Save results to JSON file |
--no-ssl-verify |
Disable SSL verification |
--threads |
Number of concurrent threads |
--jwt |
JWT token for testing |
--graphql |
Enable GraphQL-specific testing |
{
"target": "https://example.com",
"timestamp": "2025-03-19 14:30:45",
"findings": [
{
"type": "IDOR with Sensitive Data",
"url": "https://example.com/api/user/5",
"description": "Path parameter IDOR test: replaced '1' with '5'",
"status": 200,
"response_sample": "{\"id\":5,\"username\":\"admin\",\"email\":\"admin@example.com\"}"
}
]
}
This tool is for ethical security research and bug bounty hunting only. Always:
- Get explicit permission before testing any website
- Only test systems you are authorized to test
- Follow the scope and rules of bug bounty programs
- Be mindful of the potential impact of your testing
This project is licensed under the MIT License - see the LICENSE file for details.
Contributions, issues, and feature requests are welcome! Feel free to check the issues page.
- Thanks to the ethical hacking community for inspiration
- Special thanks to all contributors and bug bounty platforms
A comprehensive IDOR (Insecure Direct Object Reference) vulnerability testing script designed for ethical bug bounty hunting and security research.
- Standard IDOR Detection: Tests for common IDOR vulnerabilities in URL parameters and paths
- Parameter Pollution: Advanced techniques to bypass access controls
- HTTP Method Switching: Tests different HTTP methods for IDOR
- API Version Manipulation: Tests older API versions that might have weaker controls
- JWT Token Manipulation: Tests for IDOR via JWT payload manipulation
- Race Condition Testing: Detects timing-based IDOR vulnerabilities
- GraphQL IDOR Testing: Specialized testing for GraphQL endpoints
- Mass Assignment: Tests for IDOR via object property injection
- Privileged Endpoints: Tests admin, management, and system endpoints
- Batch Operations: Tests bulk operations that often process multiple resources
- Webhook Endpoints: Tests webhook and callback endpoints for sensitive data
- File Operations: Tests file upload/download endpoints for document access
- Admin Functions: Tests administrative functions with elevated privileges
- Payment Endpoints: Tests billing and payment systems for financial data
- API Key Endpoints: Tests credential and token management endpoints
- OAuth Endpoints: Tests authentication and authorization endpoints
- Sequential ID Testing: Tests predictable ID sequences (1-20, 100-120, etc.)
- Common High-Value IDs: Tests admin, root, system, and other privileged IDs
- Header Manipulation: Tests for IDOR via custom HTTP headers
- JSON Path Traversal: Tests nested JSON structures for IDOR
- Advanced Parameter Techniques: URL encoding, case manipulation, and more
- Advanced Path Traversal: Double encoding, mixed slashes, dotless traversal techniques
- GraphQL Introspection: Tests for exposed GraphQL schemas and introspection vulnerabilities
- Advanced JWT Manipulation: Algorithm confusion, key injection, header manipulation
- Prototype Pollution: Tests for JavaScript prototype pollution vulnerabilities
- HTTP Request Smuggling: Tests for HTTP request smuggling vulnerabilities
- SSRF Techniques: Tests for Server-Side Request Forgery vulnerabilities
- Cache Poisoning: Tests for cache poisoning via header manipulation
- Deserialization Attacks: Tests for insecure deserialization vulnerabilities
- Template Injection: Tests for server-side template injection vulnerabilities
- NoSQL Injection: Tests for NoSQL injection vulnerabilities
- LDAP Injection: Tests for LDAP injection vulnerabilities
- XML External Entity (XXE): Tests for XXE vulnerabilities
- Server-Side Includes (SSI): Tests for SSI vulnerabilities
- Command Injection: Tests for command injection vulnerabilities
- Advanced Encoding Bypass: Tests for encoding bypass techniques
- Combined Attack Vectors: Tests for multi-vector attack combinations
# Clone the repository
git clone <repository-url>
cd Cylinder
# Install dependencies
pip install -r requirements.txt# Test a target URL for IDOR vulnerabilities
python cylinder.py -u https://target.com
# Test with authentication cookies
python cylinder.py -u https://target.com -c "session=abc123; user_id=123"
# Test with custom headers
python cylinder.py -u https://target.com -H "Authorization: Bearer token123" -H "X-API-Key: key123"# Enable all high-value tests (recommended for bug bounty hunting)
python cylinder.py -u https://target.com --all-high-value
# Test specific high-value areas
python cylinder.py -u https://target.com --privileged --payment --admin
# Test with sequential IDs and common high-value IDs
python cylinder.py -u https://target.com --sequential --common-ids# Test with JWT token manipulation
python cylinder.py -u https://target.com --jwt "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
# Test GraphQL endpoints
python cylinder.py -u https://target.com --graphql
# Test with custom user IDs
python cylinder.py -u https://target.com -i "admin,root,system,user1,user2"
# Use proxy for testing
python cylinder.py -u https://target.com --proxy "http://127.0.0.1:8080"
# Save results to file
python cylinder.py -u https://target.com --output results.json
# Test with advanced path traversal
python cylinder.py -u https://target.com --advanced-traversal
### Ultra-Sophisticated Testing
```bash
# Enable all ultra-sophisticated attack vectors (maximum coverage)
python cylinder.py -u https://target.com --all-ultra-sophisticated
# Test specific ultra-sophisticated techniques
python cylinder.py -u https://target.com --graphql-introspection --jwt-advanced --prototype-pollution
# Test for SSRF and cache poisoning
python cylinder.py -u https://target.com --ssrf --cache-poisoning
# Test for injection vulnerabilities
python cylinder.py -u https://target.com --nosql-injection --ldap-injection --xxe
# Test for template and command injection
python cylinder.py -u https://target.com --template-injection --command-injection
# Test combined attack vectors
python cylinder.py -u https://target.com --combined-attacks --advanced-encoding# Enable verbose output for detailed testing information
python cylinder.py -u https://target.com --verbose --all-high-value-u, --url: Target URL (required)-c, --cookies: Cookies string (format: key1=value1; key2=value2)-H, --headers: Custom headers (can be used multiple times)-i, --ids: Comma-separated list of custom IDs to test-v, --verbose: Enable verbose output-t, --timeout: Request timeout in seconds (default: 10)-p, --proxy: Proxy URL (format: http://127.0.0.1:8080)-o, --output: Output file for results (JSON format)--no-ssl-verify: Disable SSL certificate verification--threads: Number of concurrent threads (default: 5)
--jwt: JWT token to manipulate for testing--graphql: Enable GraphQL-specific IDOR testing
--all-high-value: Enable all high-value IDOR tests--sequential: Test sequential IDs (1-20, 100-120, 1000-1020)--common-ids: Test common high-value IDs (admin, root, system, etc.)--privileged: Test privileged endpoints (admin, management, etc.)--batch: Test batch operations for IDOR--webhooks: Test webhook endpoints for IDOR--files: Test file operations for IDOR--admin: Test admin functions for IDOR--payment: Test payment endpoints for IDOR--api-keys: Test API key endpoints for IDOR--oauth: Test OAuth endpoints for IDOR--advanced-traversal: Enable advanced path traversal testing
--all-ultra-sophisticated: Enable all ultra-sophisticated attack vectors--graphql-introspection: Enable GraphQL introspection testing--jwt-advanced: Enable advanced JWT manipulation testing--prototype-pollution: Enable prototype pollution testing--http-smuggling: Enable HTTP request smuggling testing--ssrf: Enable SSRF testing--cache-poisoning: Enable cache poisoning testing--deserialization: Enable deserialization testing--template-injection: Enable template injection testing--nosql-injection: Enable NoSQL injection testing--ldap-injection: Enable LDAP injection testing--xxe: Enable XML External Entity testing--ssi: Enable Server-Side Includes testing--command-injection: Enable command injection testing--advanced-encoding: Enable advanced encoding bypass testing--combined-attacks: Enable combined attack vector testing
The script provides detailed output including:
- Real-time progress with spinner
- Color-coded severity levels (CRITICAL, HIGH, MEDIUM)
- Summary of findings by severity
- Detailed vulnerability table
When using --output, results are saved in JSON format:
{
"target": "https://target.com",
"timestamp": "2024-01-01 12:00:00",
"findings": [
{
"type": "IDOR",
"url": "https://target.com/api/user/admin",
"description": "Privileged endpoint test: /admin/ with ID admin",
"status": 200,
"severity": "CRITICAL",
"response_sample": "..."
}
]
}- CRITICAL: Payment systems, admin functions, API keys, OAuth endpoints
- HIGH: Privileged endpoints, batch operations, webhooks, file operations
- MEDIUM: Standard IDOR vulnerabilities, parameter pollution, method switching
- Start with High-Value Tests: Use
--all-high-valuefor maximum coverage - Test Authenticated Endpoints: Always test with valid authentication
- Use Sequential IDs: Many applications use predictable ID sequences
- Test Admin Functions: Admin endpoints often contain the most valuable data
- Check Payment Systems: Financial data is highly valued by bug bounty programs
- Test File Operations: Document access can lead to significant bounties
- Use Verbose Mode: Detailed output helps understand the testing process
- Save Results: Always save results for later analysis and reporting
- Use Ultra-Sophisticated Techniques: For advanced targets, use
--all-ultra-sophisticated - Test GraphQL Endpoints: GraphQL introspection can reveal sensitive schema information
- Check for Prototype Pollution: JavaScript applications may be vulnerable to prototype pollution
- Test SSRF Vulnerabilities: Internal service access can lead to high-value findings
- Look for Injection Vulnerabilities: NoSQL, LDAP, and template injection can bypass authentication
- Test Combined Attack Vectors: Multi-vector attacks can bypass multiple security controls
This tool is designed for:
- Authorized security testing on systems you own or have permission to test
- Bug bounty programs where you have explicit authorization
- Educational purposes in controlled environments
Do not use this tool for:
- Unauthorized testing of systems you don't own
- Malicious attacks or data theft
- Testing production systems without permission
Contributions are welcome! Please feel free to submit pull requests or open issues for:
- New testing techniques
- Bug fixes
- Performance improvements
- Documentation updates
This project is licensed under the MIT License - see the LICENSE file for details.
This tool is provided for educational and authorized security testing purposes only. The authors are not responsible for any misuse of this tool. Always ensure you have proper authorization before testing any system.