Access Control Testing (/test-access)¶
/test-access is now a compatibility router. Real execution should prefer:
/test-access-idor/test-access-authz/test-access-matrix
These dedicated entrypoints keep the same methodology while avoiding the old monolithic prompt load.
/test-access <target_url> [scope] [engagement_dir]
/test-access <target_url> --scope <idor|authz|matrix> [engagement_dir]
Scope Routing¶
| Scope | Dedicated Skill | Focus |
|---|---|---|
idor |
/test-access-idor |
Unauthenticated access sweep, object reference enumeration, all IDOR variants (numeric, UUID, encoded, nested) |
authz |
/test-access-authz |
Function-level access control, multi-step authorization bypass, API access control, privilege escalation patterns |
matrix |
/test-access-matrix |
Multi-user access matrix generation, cross-role endpoint testing |
Coverage by Sub-Skill¶
/test-access-idor-- Tests every discovered endpoint without authentication, then covers numeric ID iteration, UUID manipulation, encoded IDs, nested references, GraphQL IDs, file/export/download IDOR, and other advanced object-reference patterns./test-access-authz-- Covers admin/function-level access control, multi-step authorization bypass, API method/version/content-type tricks, privilege escalation, mass assignment, and 403-bypass style confirmation attempts./test-access-matrix-- Generates a cross-role access matrix, compares status and response-size anomalies, and turns interesting cells into verification candidates.
Router Behavior¶
If --scope is supplied, /test-access immediately routes to the matching dedicated skill. Without --scope, the intended execution order is:
/test-access-idor/test-access-authz/test-access-matrix
Model and Thinking Budget¶
| Component | Model | Rationale |
|---|---|---|
/test-access-idor |
Opus (high) | Heavy endpoint sweep plus object-reference reasoning |
/test-access-authz |
Opus (high) | Protected-function comparison and privilege reasoning |
/test-access-matrix |
Opus (high) | Multi-role anomaly triage and proof conversion |
Kill Switch¶
| Limit | Value |
|---|---|
| Timeout | 45 minutes |
| Max requests | 500 (warning at 400) |
| Stealth | stealth_curl() with jitter |
Critical Behaviors Preserved¶
- ALL discovered endpoints still need unauthenticated coverage before deep IDOR conclusions.
- All object-bearing endpoints still need explicit IDOR verification.
- Authz anomalies still require proof of unauthorized data or function, not just a status-code delta.
- Matrix anomalies still need manual verification before they become findings.
Knowledge Packs and Cheatsheets¶
| Resource | Path |
|---|---|
| Shared router bootstrap | helpers/scope-bootstrap.md |
| IDOR knowledge pack | helpers/knowledge-idor.md (loaded only by /test-access-idor) |
| 403 bypass pack | helpers/knowledge-403-bypass.md (loaded only by /test-access-authz) |
| Access control cheatsheet | helpers/cheatsheet-access.md |
| Research terms | helpers/research-terms.md |
| Exemplars | helpers/exemplars.md |
External payload files: PayloadsAllTheThings IDOR techniques, mass assignment payloads, open redirect intruder lists.
Safety¶
- Only read data you are authorized to see.
- Never modify other users' data.
- Stop after proving access to ONE unauthorized resource per endpoint.
- All findings require a working, reproducible PoC.