Documentation
¶
Overview ¶
helpers.go
File: internal/analysis/auth/idor/idor.go
File: internal/analysis/auth/idor/analyzer.go
interface.go
File: internal/analysis/auth/idor/types.go
Index ¶
- Constants
- func ApplyTestValue(ctx context.Context, req *http.Request, body []byte, ident ObservedIdentifier, ...) (*http.Request, []byte, error)
- func GenerateTestValues(ident ObservedIdentifier, pool *IdentifierPool) ([]string, error)
- type Analyzer
- type AuthArtifacts
- type Config
- type ErrUnauthenticated
- type EvaluationResult
- type Finding
- type IDORAnalyzer
- type IdentifierLocation
- type IdentifierPool
- type IdentifierType
- type NilSession
- type ObservedIdentifier
- type RequestResponsePair
- type Session
- type Severity
Constants ¶
const ( TestTypeHorizontal = "Horizontal" TestTypeManipulation = "Manipulation" TestTypeUnauthenticated = "Unauthenticated" TestTypeHorizontalManipulation = "HorizontalManipulation" // (Strategic 5.1) TestTypeResourceEnumeration = "ResourceEnumeration" // (Strategic 5.6) )
Variables ¶
This section is empty.
Functions ¶
func ApplyTestValue ¶
func ApplyTestValue(ctx context.Context, req *http.Request, body []byte, ident ObservedIdentifier, testValue string) (*http.Request, []byte, error)
ApplyTestValue takes an original HTTP request and returns a new `http.Request` with the identifier's value replaced.
func GenerateTestValues ¶
func GenerateTestValues(ident ObservedIdentifier, pool *IdentifierPool) ([]string, error)
GenerateTestValues creates a list of new values based on an observed identifier, prioritizing known-good values from the identifier pool.
Types ¶
type Analyzer ¶
type Analyzer interface {
// AnalyzeTraffic orchestrates the IDOR detection process. It takes a context
// for cancellation, a slice of captured HTTP request-response pairs, and a
// configuration object. It returns a slice of any discovered findings and an
// error if the analysis could not be completed.
AnalyzeTraffic(ctx context.Context, traffic []RequestResponsePair, config Config) ([]Finding, error)
}
Analyzer defines the standard interface for an IDOR (Insecure Direct Object Reference) vulnerability scanner. It abstracts the underlying implementation of the analysis logic.
func NewIDORAnalyzer ¶
func NewIDORAnalyzer(logger *log.Logger, comparer jsoncompare.JSONComparison) Analyzer
NewIDORAnalyzer creates a new instance of the IDORAnalyzer.
type AuthArtifacts ¶
type AuthArtifacts struct {
// Map keys are the names of the headers (e.g., "Authorization")
HeaderNames map[string]struct{}
// Map keys are the names of the cookies (e.g., "session_id")
CookieNames map[string]struct{}
}
AuthArtifacts details the specific headers and cookies used for authentication by a session. (Fix 3.1: Dynamic Request Sanitization)
type Config ¶
type Config struct {
Session Session // The primary authenticated session (User A).
SecondSession Session // The secondary authenticated session for horizontal checks (User B).
// Strategy configuration
SkipHorizontal bool // Option to skip standard horizontal checks.
SkipManipulation bool // Option to skip manipulation checks.
SkipUnauthenticated bool // Option to skip unauthenticated checks.
// (Strategic 5.1: Horizontal Manipulation)
SkipHorizontalManipulation bool // Option to skip horizontal manipulation checks (Pita test).
// (Fix 3.2: Safety Configuration)
AllowUnsafeMethods bool // If true, allows testing of POST, PUT, DELETE, PATCH. Default is false.
ComparisonOptions jsoncompare.Options // Defines how JSON responses are normalized and compared.
ConcurrencyLevel int // The number of concurrent workers for replaying requests.
HttpClient *http.Client // The HTTP client to use for replaying requests.
}
Config encapsulates all the necessary configuration for running an IDOR analysis.
type ErrUnauthenticated ¶
type ErrUnauthenticated struct {
Message string
}
ErrUnauthenticated is a custom error type.
func (*ErrUnauthenticated) Error ¶
func (e *ErrUnauthenticated) Error() string
type EvaluationResult ¶
type EvaluationResult struct {
Vulnerable bool
ComparisonResult *jsoncompare.ComparisonResult
SeverityOverride Severity
TestTypeOverride string
EvidenceOverride string
}
EvaluationResult holds the outcome of the response analysis.
type Finding ¶
type Finding struct {
URL string
Method string
Evidence string
Severity Severity
TestType string // e.g., "Horizontal", "Manipulation", "Unauthenticated", "HorizontalManipulation", "ResourceEnumeration"
StatusCode int
Identifier *ObservedIdentifier // Details about the identifier that was manipulated.
TestedValue string // The value used to replace the original identifier.
ComparisonDetails *jsoncompare.ComparisonResult // The detailed result from the JSON comparison.
}
Finding represents a single, potential IDOR vulnerability discovered by the analyzer.
func Detect ¶
func Detect(ctx context.Context, traffic []RequestResponsePair, config Config, logger *log.Logger, comparer jsoncompare.JSONComparison, identifierPool *IdentifierPool) ([]Finding, error)
Detect is the core logic engine for the IDOR analysis. Added identifierPool parameter (Strategic 5.2).
type IDORAnalyzer ¶
type IDORAnalyzer struct {
// contains filtered or unexported fields
}
IDORAnalyzer is the main orchestrator for the Insecure Direct Object Reference (IDOR) detection process. It implements the `Analyzer` interface.
func (*IDORAnalyzer) AnalyzeTraffic ¶
func (a *IDORAnalyzer) AnalyzeTraffic(ctx context.Context, traffic []RequestResponsePair, config Config) ([]Finding, error)
AnalyzeTraffic is the primary entry point for the IDOR analysis.
type IdentifierLocation ¶
type IdentifierLocation string
IdentifierLocation specifies the part of an HTTP request where an identifier was discovered.
const ( LocationURLPath IdentifierLocation = "URLPath" LocationQueryParam IdentifierLocation = "QueryParam" LocationJSONBody IdentifierLocation = "JSONBody" LocationXMLBody IdentifierLocation = "XMLBody" LocationFormBody IdentifierLocation = "FormBody" // URL-encoded or Multipart LocationHeader IdentifierLocation = "Header" LocationCookie IdentifierLocation = "Cookie" // (Strategic 5.3: Added location for encoded payloads) LocationEncodedPayload IdentifierLocation = "EncodedPayload" )
type IdentifierPool ¶
type IdentifierPool struct {
// contains filtered or unexported fields
}
IdentifierPool stores unique observed identifiers categorized by type for realistic manipulation tests.
func NewIdentifierPool ¶
func NewIdentifierPool() *IdentifierPool
func (*IdentifierPool) Add ¶
func (p *IdentifierPool) Add(ident ObservedIdentifier)
Add inserts a new identifier into the pool.
func (*IdentifierPool) Count ¶
func (p *IdentifierPool) Count() int
Count returns the total number of unique identifiers in the pool.
func (*IdentifierPool) GetDifferent ¶
func (p *IdentifierPool) GetDifferent(idType IdentifierType, currentValue string) (string, bool)
GetDifferent returns a known-valid identifier of the same type that is different from the provided value.
type IdentifierType ¶
type IdentifierType string
IdentifierType enumerates the kinds of resource identifiers that the analyzer can detect.
const ( TypeNumericID IdentifierType = "NumericID" TypeUUID IdentifierType = "UUID" TypeHash IdentifierType = "Hash" // MD5, SHA1, SHA256 // (Strategic 5.3: Expanded Identifier Types) TypeEmail IdentifierType = "Email" TypeUsername IdentifierType = "Username" TypeULID IdentifierType = "ULID" )
type NilSession ¶
type NilSession struct{}
NilSession implements the Session interface but represents an unauthenticated state.
func (*NilSession) ApplyToRequest ¶
func (n *NilSession) ApplyToRequest(req *http.Request)
ApplyToRequest does nothing.
func (*NilSession) GetAuthArtifacts ¶
func (n *NilSession) GetAuthArtifacts() AuthArtifacts
GetAuthArtifacts returns empty artifacts.
func (*NilSession) IsAuthenticated ¶
func (n *NilSession) IsAuthenticated() bool
IsAuthenticated always returns false for a NilSession.
type ObservedIdentifier ¶
type ObservedIdentifier struct {
Value string
Type IdentifierType
Location IdentifierLocation
Key string // The parameter name, JSON path, XPath, or encoded payload locator.
PathIndex int // The index in the URL path.
// (Strategic 5.3) Fields for encoded payloads
IsEncoded bool // Flag indicating if this ID was found within an encoded structure.
EncodingType string // e.g., "Base64JSON", "JWT"
ParentLocation IdentifierLocation // Where the encoded payload itself was located (e.g., Header)
ParentKey string // The key of the encoded payload
}
ObservedIdentifier is a detailed record of a potential resource identifier found within an HTTP request.
func ExtractIdentifiers ¶
func ExtractIdentifiers(req *http.Request, body []byte) []ObservedIdentifier
ExtractIdentifiers scans all parts of an HTTP request (URL, headers, cookies, JSON/XML/Form body) to find potential resource identifiers. It returns a deduplicated slice.
func ExtractIdentifiersFromResponse ¶
func ExtractIdentifiersFromResponse(resp *http.Response, body []byte) []ObservedIdentifier
ExtractIdentifiersFromResponse scans response headers and body for identifiers.
func (ObservedIdentifier) String ¶
func (o ObservedIdentifier) String() string
type RequestResponsePair ¶
type RequestResponsePair struct {
Request *http.Request
RequestBody []byte
Response *http.Response
ResponseBody []byte
}
RequestResponsePair is a data structure that holds a single, complete HTTP transaction.
type Session ¶
type Session interface {
IsAuthenticated() bool
ApplyToRequest(req *http.Request)
// GetAuthArtifacts returns the names of headers and cookies that this session manages.
GetAuthArtifacts() AuthArtifacts
}
Session defines a generic interface for an authenticated user session.
type Severity ¶
type Severity string
Severity defines the severity level of an IDOR finding.
const ( SeverityCritical Severity = "Critical" // e.g., Unauthenticated access or Horizontal Manipulation. SeverityHigh Severity = "High" // e.g., Standard Horizontal access. SeverityMedium Severity = "Medium" // e.g., Vertical Manipulation. SeverityLow Severity = "Low" // e.g., Resource Enumeration (Oracle) (Strategic 5.6) )
Source Files