June 16, 2026
How to Find IDOR Vulnerabilities in a Laravel App
A free Claude Code skill that checks the authorization on every Laravel route and flags broken object-level access (IDOR / BOLA).
Artem Proshkovskyi
3 min read
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
The bug hiding in plain sight
Here is a route that looks fine. A controller method "show" that takes an id, then returns an OrderResource for Order::findOrFail(id).
It has auth middleware. It passes your linter. It passes your scanner.
And any logged-in user can read any order by changing the ID in the URL.
This is IDOR, broken object-level authorization. It is number one on the OWASP API Security Top 10. And it is the one class of bug that static scanners structurally cannot find.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Why scanners miss it
Scanners trace untrusted input. They are good at "this value flows into a query without escaping."
But IDOR is not about data flow. It is about intent. The real question is: should this record belong to the current user? A scanner has no idea. Answering it needs reasoning across the route, the middleware, the controller, the policy, and the query.
That is human work. Or now, LLM work.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What this skill does
laravel-authorization-review is a Claude Code skill. You ask it to review your app, and it walks the full authorization chain of every route:
middleware, then authorize or policy or gate, then query scoping, then API resource output.
For each route it tells you what is protected and what is not. Then it gives you a coverage map and a short, prioritized list of holes to fix.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
It does not hallucinate
The skill is anchored to real data. It runs php artisan route:list — json, which is the exact list of every endpoint and its middleware. Every finding points to a real route and a real file and line number.
If it cannot point to both, it does not report it. Each finding also carries a confidence level, High, Medium, or Low, so you know what is a sure thing and what needs a second look.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
The fix it points you to
For the route above, it would flag the missing ownership check and suggest using route-model binding with an authorize call: a "show" method that receives the Order directly, calls this->authorize('view', order), then returns the resource.
Clear evidence, clear fix. You apply it.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
It never edits your code
Like every skill in this library, it is advise-only. It reads your code, runs one read-only command, and reports. It never changes a route, a policy, or a controller. You make every fix yourself.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Try it
Install one folder. Run this in your project:
npx degit ArtemProshkovskiy/laravel-maintenance-skills/skills/laravel-authorization-review .claude/skills/laravel-authorization-review
Then ask: "find IDOR in this app" or "which routes have no auth?"
You can even point it at a single pull request: "review authorization on this PR's new routes".
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Why it matters
Access control bugs do not crash. They leak. They sit quietly until someone notices they can read other people's data.
A scanner will not save you here. A reasoning pass over your real routes will. That is what this skill does.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Get it on GitHub
The skill is free and open source. Code, install steps, and the other skills in the library are here:
https://github.com/ArtemProshkovskiy/laravel-maintenance-skills
If this helped you, a star on GitHub means a lot and helps other Laravel devs find it. Thank you.
Built by Artem Proshkovskyi. Free and open source (MIT).