IDOR on API endpoints.

Hey guys,

I’m here to share my recent finding on a website which pulls me to pen down my first post. I can not disclose the name of the company because of the Non-Disclosure Agreement(NDA). So I’ll be using for references.

.       .      .       .      .


I found out that while requesting an endpoint of an API, there was a lack of access control policy(Broken Access Control), which leads me to edit/delete the work experience and educational details of any user without their permission.