The Manipulator is a free and open-source CLI base scanner for identifying parameter manipulation vulnerabilities, also known as Insecure Direct Object References or Authorization Bypass Through User-Controlled Key.
In other words, The Manipulator can parse Burp logs searching for numeric parameters which it analyses for parameter manipulation flaws by submitting a range of similar but different numeric values and looking for differences in the responses.
Moreover, The Manipulator parses a second burp log (i.e. from a different user) to identify potentially user-specific parameter values.
The Manipulator is cross-platform and it works on Mac OS X, Windows and Linux.
Detailed instructions on how to install and use the The Manipulator utility on your Mac are available HERE.
Note: The Manipulator is beta, so don't use it in an environment that matters to you or anyone else. Also, don't use The Manipulator to scan hosts without the owner's permission.
Here are some key features of "The Manipulator":
· Support for automated detection and testing of numeric parameters in a range of locations
· Multi-burplog mode, where parameter values are sourced from a different burp log
· Scan 'state' maintenance
· HTML format output with links/buttons to send Proof of Concept requests
What's New in This Release: [ read full changelog ]
· Many improvements to UI and reporting stage.