July 3, 2026
Day 2 of Bug Hunting: Understanding IDOR & Broken Access Control
Yesterday was all about XSS. Today, I spent most of my time diving into IDOR (Insecure Direct Object References) and Broken Access Control…

By Crazzzy_Sam
1 min read
Yesterday was all about XSS. Today, I spent most of my time diving into IDOR (Insecure Direct Object References) and Broken Access Control through PortSwigger Academy.
I have to admit — I enjoyed today's learning much more.
Unlike some vulnerabilities that can feel very theoretical at first, access control issues immediately felt real. It's easy to imagine how a tiny mistake in authorization can expose someone else's data or even allow actions that should never be possible. That made every lab feel less like a puzzle and more like something I could actually encounter during real bug hunting.
I worked through a good number of labs today. Some were straightforward, while others forced me to stop, reread the scenario, and think like an attacker instead of a normal user. That's probably becoming my favorite part of this journey.
The only thing that tested my patience wasn't the vulnerability itself — it was constantly switching between Burp Suite and the browser.
Intercept.
Forward.
Modify.
Refresh.
Switch tabs.
Repeat.
After doing it dozens of times, it honestly became frustrating. More than once I thought, "There has to be an easier way."
But then I realized that's probably the point.
Those repetitive actions slowly start becoming muscle memory. Instead of struggling with the tool, you begin focusing on the application's behavior. I can already feel myself getting a little faster than I was yesterday.
One thing that stood out today was how dangerous Broken Access Control really is in production applications. It doesn't rely on fancy payloads or complex exploitation. Sometimes it's as simple as changing an ID in the URL or modifying a request and suddenly accessing something that was never meant to be yours.
That simplicity is exactly what makes it scary.
I'm also starting to notice that bug hunting isn't just about learning vulnerabilities. It's about learning how developers think, how applications are structured, and where assumptions are made. Every solved lab feels like another small piece of that puzzle.
There were moments of frustration today, but they were balanced by those satisfying moments when a lab finally clicked and the solution made perfect sense.
So Day 2 ends with:
- A much better understanding of IDOR and Broken Access Control.
- More confidence using Burp Suite.
- A little less frustration than yesterday.
- A reminder that real progress often feels slow while it's happening.
Still a long journey ahead, but I'm genuinely enjoying the process.