Insecure Direct Object References
2/ Authenticate First, Abuse Authorization Later
Just login with available username and password (tom-cat)
3/ Observing Differences & Behaviors


The different things that not show are userId and role
4/ Guessing & Predicting Patterns

Click submit, open devtool - network, you will see path:

Replace alt-path with userId in last challenge, you can solve this challenge:

5/ Playing with the Patterns
Last updated