All security checks
Vulnerability DetectionA01:2021

IDOR & Broken Access Control Scanner

Find exposed admin routes, unauthenticated APIs, sequential IDs, and mass data exposure.

Insecure Direct Object Reference (IDOR) happens when routes trust user-supplied IDs instead of verifying ownership. This scanner safely probes common admin/API routes and discovered endpoints for broken access control signals.

What this scanner does

Checks exposed admin panels, API documentation, unauthenticated API routes, sequential numeric IDs, mass-list endpoints, dangerous methods, and robots.txt entries that reveal internal paths.

Why it matters

Broken access control is the top OWASP risk. It turns normal user accounts or public endpoints into data-extraction paths when server-side ownership checks are missing.

Common findings

  • Unauthenticated API endpoint returns data
  • Sequential IDs in sensitive routes
  • Admin route reachable without login redirect
  • List endpoint returns bulk records publicly

OWASP Top 10 coverage

A01:2021Broken Access Control

Run this check on your site

Get a full security report with remediation guidance in 30 seconds. No setup required.

Scan your site freeView pricing

Related security checks

Vulnerability Detection

Tenant Isolation Scanner

Use two authenticated test actors to verify tenant-scoped resources cannot be read across accounts.

Vulnerability Detection

Authentication Flow Scanner

Test your login, signup, and password reset flows for common security weaknesses.

Configuration Audit

Supabase Security Scanner

Audit your Supabase project for RLS misconfigurations, exposed APIs, and insecure auth settings.

All security checksSecurity blog