idor-broken-object-authorization

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This playbook explicitly instructs the tester/agent to fetch and read public third-party resources — e.g., "Read JS bundles," "Read API documentation (Swagger/OpenAPI)," and "Check source code if available (GitHub, JS bundles)" in the "How to Find Hidden Admin Endpoints" and "How to find hidden fields" sections — which requires ingesting untrusted web content that could carry indirect instructions affecting subsequent actions.