IDOR-Tester
IDOR-Tester IDOR-Tester is the automated fuzzer for Insecure Direct Object References, swapping IDs in requests to detect unauthorized access in APIs or web forms with response diffing for leaks. Run its Python script on endpoints, customizing payloads for numeric or UUID fields, and log hits for manual verification. Open-source from swisskyrepo, it's the ID swapper for pentesters templating broken access controls into vuln reports.
Explore →AccessFuzzer
AccessFuzzer AccessFuzzer is the param mutator that probes RBAC endpoints with role switches and privilege escalations, flagging over-permissions via 2xx responses on restricted actions. Configure via YAML scopes, run Go CLI on proxies for chained tests, and export anomalies. Open-source from assetnote, it's the role roller for security pros fuzzing horizontal access flaws.
Explore →Autorize
Autorize Autorize is the authorization oracle that maps API permissions by fuzzing user contexts, detecting BOLA via crafted requests to expose object-level leaks. Script its Python lib for custom auth headers, running against scopes for coverage matrices. Open-source from sashabaranov, it's the auth auditor for API pentesters charting access boundaries.
Explore →RBAC-Tester
RBAC-Tester RBAC-Tester is the role-based access checker that enumerates privileges across endpoints, simulating user switches to uncover missing least-privilege enforcements. Define roles in JSON, run via CLI for diff reports on allowed actions, and integrate with CI. Open-source from community, it's the privilege profiler for devs templating RBAC gaps in reviews.
Explore →Burp-Access-Control
Burp Access Control Burp Access Control is the extension that automates IDOR and BOLA tests by mutating user IDs in requests, comparing responses for unauthorized data disclosures. Install in Burp Suite, select scopes, and run scans for flagged leaks with evidence captures. Open-source from PortSwigger, it's the proxy permission prober for web pentesters validating controls inline.
Explore →AccessControlFuzzer
AccessControlFuzzer AccessControlFuzzer is the mutation engine for fuzzing access tokens and roles in APIs, detecting vertical escalations with crafted payloads for privilege checks. Configure via Go flags, target GraphQL/REST, and log 403/200 diffs for analysis. Open-source from frikilnik, it's the token tamperer for API security researchers probing hierarchy flaws.
Explore →id-fuzzer
ID Fuzzer ID Fuzzer is the simple script for brute-forcing object IDs in URLs, swapping sequential values to hunt IDORs with response code monitoring for access grants. Python-based for easy extension, run on endpoints with ranges for comprehensive coverage. Open-source from 3af, it's the ID intruder for web auditors templating direct reference tests.
Explore →AuthZ-Checker
AuthZ Checker AuthZ-Checker is the policy tester that validates authorization decisions against expected outcomes, fuzzing roles and scopes for over-grants in microservices. Define tests in YAML, execute via CLI for pass/fail verdicts with traces. Open-source from security-research, it's the decision debugger for backend pentesters verifying custom auth logic.
Explore →BOLA-Hunter
BOLA Hunter BOLA-Hunter is the API-specific fuzzer for Broken Object Level Authorization, mutating resource IDs across users to detect data leaks in REST/GraphQL endpoints. Set up scopes in config, run Python CLI for diff-based alerts on unauthorized reads. Open-source from PortSwigger, it's the object outlaw for API auditors hunting horizontal access slips.
Explore →RBAC-Validator