Insecure Direct Object References

2/ Authenticate First, Abuse Authorization Later

Just login with available username and password (tom-cat)

3/ Observing Differences & Behaviors

The different things that not show are userId and role

4/ Guessing & Predicting Patterns

Click submit, open devtool - network, you will see path:

Replace alt-path with userId in last challenge, you can solve this challenge:

5/ Playing with the Patterns