// Web AppSec

AI-Assisted SSRF & IDOR: Cloud-Era Patterns

SSRF and IDOR are the two highest-ROI bugs in cloud-era SaaS. Both reward systematic enumeration — exactly the workload an LLM excels at.

Updated 2026-06-058 min readVendor-neutral · primary sources

SSRF patterns to grep for

  • URL fetchers without allowlist or with weak regex.
  • Webhook senders accepting arbitrary destination URL.
  • Image proxies, OG-image renderers, PDF generators with headless browsers.
  • Server-side OAuth callback handlers fetching userinfo URLs.
  • Cloud-metadata access via DNS rebinding or 169.254.169.254 normalisation tricks.
# Prompt
Identify every outbound fetch in this repo where the URL is influenced by user input. For each, evaluate: scheme allowlist, host allowlist, redirect handling, DNS-rebinding protection, response-size cap. Output a risk table.

IDOR patterns to grep for

  • Endpoints scoping by URL id without re-checking tenant on the row.
  • GraphQL resolvers that authorise the parent but not the child field.
  • Signed-URL endpoints with predictable object keys.
  • Bulk endpoints (PATCH /items) that iterate without per-item authz.
  • Admin endpoints behind a UI flag — server still serves them to any auth user.

FAQ

Best single prompt to find IDOR?

'List every controller action that loads a row by id and then renders or mutates it. For each, show the exact line that enforces tenant_id == current_user.tenant_id, or mark MISSING.'

// keep reading

Browse 300+ cybersecurity prompts, 40+ Claude-compatible tools, and daily AI-security intel.

Cybersecurity Prompts →Tool DirectoryMethodology