New: SEO & AEO scanning — see how Google ranks you and how ChatGPT, Claude & Perplexity cite youSee how it works
Find exposed admin routes, unauthenticated APIs, sequential IDs, and mass data exposure.
Overview
Insecure Direct Object Reference (IDOR) happens when routes trust user-supplied IDs instead of verifying ownership. This scanner safely probes common admin/API routes and discovered endpoints for broken access control signals.
What this scanner does
Checks exposed admin panels, API documentation, unauthenticated API routes, sequential numeric IDs, mass-list endpoints, dangerous methods, and robots.txt entries that reveal internal paths.
Why it matters
Broken access control is the top OWASP risk. It turns normal user accounts or public endpoints into data-extraction paths when server-side ownership checks are missing.
Common findings
OWASP Top 10 coverage
Get a full security report with AI-powered fix suggestions in 30 seconds. No setup required.
Related checks
Vulnerability Detection
Use two authenticated test actors to verify tenant-scoped resources cannot be read across accounts.
Vulnerability Detection
Test your login, signup, and password reset flows for common security weaknesses.
Configuration Audit
Audit your Supabase project for RLS misconfigurations, exposed APIs, and insecure auth settings.
