It's $500 for a single IDOR, so let's get into the point!

After spending some time on the application in Example, I created a new Example and tried to create, read, update, and delete for another user by simply changing the Example ID to another one!

CREATE -> 403 Forbidden UPDATE -> 403 Forbidden DELETE -> 403 Forbidden

READ -> 200 OK

GET /api/Exable/{example_uuid}

My dopamine 📈

So I reported it. The ID is UUIDv4, and I thought maybe it would be low severity, but wow — amazing program! It was medium and I got $500.

Thank you for reading! I hope this is helpful!