Hacker tip: when you’re looking for IDORs in a model that references another model, try storing IDs that don’t exists yet. I’ve seen a number of times now that, because the model can’t be found, the system will save the ID. (1/2)
Trick that allowed me to find many IDORs..
Hackers, minor cool insight that I gained some time ago and found a vulnerability with: when you're looking at an asset that may use a microservices architecture, look for IDOR vulnerabilities using path traversal. E.g. https://example/?id=1/../2. See thread.