IDOR : Step by Step guide to Account Takeover of Any User

1 month ago 21
BOOK THIS SPACE FOR AD
ARTICLE AD

360 Security

A step-by-step look at how i leverage IDOR in profile updates to hijack user accounts

Ever stumbled upon a small flaw that could lead to something big? That’s exactly what happened when I discovered an IDOR (Insecure Direct Object Reference) vulnerability in the profile update feature of an application. At first glance, it seemed harmless — just two “IDs” exposed in an API request. But after a bit of digging, I realized this simple oversight could allow anyone to take over any user’s account! In this blog, I’ll walk you through how I found this bug, how it works, and why it’s a huge security risk. Let’s dive into it!

First, I created two accounts — one as the victim and the other as the attacker.

Step : 1) Here, you can see the Victim profile.

Step:1
Read Entire Article