mitmproxy-based IDOR detection tool - intercepts traffic and analyzes parameter relationships to find insecure direct object references

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Ralian.ENG from gravatar.com Ralian.ENG

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: RalianENG
  • Tags api-security , bug-bounty , idor , mitmproxy , parameter-analysis , pentest , proxy , security , web-security
  • Requires: Python >=3.12
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

IDOR-otaku (idotaku)

CI Coverage PyPI version Python License: MIT Code style: ruff

IDOR-otaku — mitmproxy-based IDOR detection tool that intercepts traffic and analyzes parameter relationships to find insecure direct object references.

IDOR (Insecure Direct Object Reference) is a vulnerability where an application exposes internal object IDs (user IDs, order numbers, etc.) without proper authorization checks, allowing attackers to access other users' data by manipulating these IDs.

How It Works

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│   Browser   │────>│  mitmproxy  │────>│  API Server  │
└─────────────┘     └──────┬──────┘     └─────────────┘
                           │
                           v
                    ┌─────────────┐
                    │  idotaku    │
                    │  (tracker)  │
                    └──────┬──────┘
                           │
                           v
                    ┌─────────────┐
                    │   Report    │
                    │   (JSON)    │
                    └─────────────┘
  1. Intercept — Proxies browser traffic via mitmproxy
  2. Track — Records where IDs first appear (response) and where they are used (request)
  3. Detect — Flags IDs used in requests that never appeared in any response (IDOR candidates)
  4. Visualize — Renders parameter chains and API sequence diagrams as interactive HTML

Requirements

  • Python 3.10+
  • mitmproxy 10.0+

Installation

pip install idotaku

Quick Start

# Interactive mode (recommended for beginners)
idotaku -i

# Start proxy directly
idotaku

# Analyze report
idotaku report id_tracker_report.json
idotaku chain id_tracker_report.json --html chain.html
idotaku sequence id_tracker_report.json --html sequence.html

# Import HAR file (from Chrome DevTools, Burp Suite, etc.)
idotaku import-har capture.har -o report.json

Commands

Analysis

Command Description
report View IDOR detection report summary
chain Detect parameter chains with --html export and --domains filter
sequence API sequence diagram with --html export and ID highlighting
lifeline Show parameter lifespan analysis
score Risk-score IDOR candidates (critical / high / medium / low)
auth Detect cross-user access patterns via auth context
diff Compare two reports and show changes
interactive Launch interactive mode with guided menus

Configuration

Command Description
config init Create default idotaku.yaml in the current directory
config show Show effective configuration (defaults + config file)
config get <key> Get a single config value (supports dotted keys: patterns.uuid)
config set <key> <value> Set a config value in the YAML file
config validate Validate config file syntax, types, and regex patterns
config path Print the path to the active config file

Interactive mode (-i) also provides a guided setup wizard for editing settings.

Import & Export

Command Description
import-har Import HAR file and generate idotaku report
csv Export IDOR candidates or flows to CSV
sarif Export findings to SARIF 2.1.0 (GitHub Code Scanning)

Programmatic API

from idotaku.report import load_report, score_all_findings, diff_reports
from idotaku.export import export_csv, export_sarif
from idotaku.import_har import import_har

# Load and score
data = load_report("report.json")
scored = score_all_findings(data.potential_idor)

# Export
export_csv("idor.csv", data, mode="idor")
export_sarif("findings.sarif.json", data)

# Import HAR
report = import_har("capture.har")

# Diff two reports
from idotaku.report import diff_reports
diff = diff_reports(load_report("old.json"), load_report("new.json"))

Documentation

Contributing

# Clone and install with dev dependencies
git clone https://github.com/RalianENG/IDOR-otaku.git
cd idotaku
pip install -e ".[dev]"

# Run tests
pytest

# Run tests with coverage
pytest --cov=idotaku

# Lint
ruff check src/

Bug reports and pull requests are welcome on GitHub Issues.

Disclaimer

This tool is intended for authorized security testing and educational purposes only. You must obtain proper authorization before testing any systems you do not own. The authors are not responsible for any misuse or damage caused by this tool. Use at your own risk and in compliance with all applicable laws.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Ralian.ENG from gravatar.com Ralian.ENG

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: RalianENG
  • Tags api-security , bug-bounty , idor , mitmproxy , parameter-analysis , pentest , proxy , security , web-security
  • Requires: Python >=3.12
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.0.0

0.3.0

This version

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

idotaku-0.2.0.tar.gz (110.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

idotaku-0.2.0-py3-none-any.whl (75.6 kB view details)

Uploaded Python 3

File details

Details for the file idotaku-0.2.0.tar.gz.

File metadata

  • Download URL: idotaku-0.2.0.tar.gz
  • Upload date:
  • Size: 110.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for idotaku-0.2.0.tar.gz
Algorithm Hash digest
SHA256 3a121050236b51c995ba326d92c50805b5e252340c433a6110b61042a8364444
MD5 d930a90ccdc4da361877f6e2c65277f5
BLAKE2b-256 96030940ea5f21ab5a372352ad00279de09522ee4326757f5712c95dec2c3231

See more details on using hashes here.

Provenance

The following attestation bundles were made for idotaku-0.2.0.tar.gz:

Publisher: publish.yml on RalianENG/IDOR-otaku

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file idotaku-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: idotaku-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 75.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for idotaku-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 21aeb6e5bf8bb3c7f4207226577f57fa1d3bc3abb8e84f94bb580e3c05467bab
MD5 b08676b72dd0c63649a0eb26be05d8cd
BLAKE2b-256 bd5db94a62b6879386527e1fb29668060e165a2ebcdf8f2121633b09858262f4

See more details on using hashes here.

Provenance

The following attestation bundles were made for idotaku-0.2.0-py3-none-any.whl:

Publisher: publish.yml on RalianENG/IDOR-otaku

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page