An individual shares their experience of finding and exploiting an Insecure Direct Object Reference (IDOR) on a target website.
They began hunting on the site by conducting subdomain enumeration and reconnaissance.
They discovered a payment form that required authentication, and upon examining the request, they found an ID parameter.
By modifying the ID parameter and sending the request to the server, they were able to hijack the payment and redirect it to their own server.
The individual emphasizes the importance of proactive hunting on websites and not giving up too quickly when targets don’t appear vulnerable.
They also highlight the value of analyzing historical requests and staying observant, even when no vulnerabilities are initially found.
The success of this approach underscores the significance of thorough vulnerability testing and the potential dangers of IDORs when they are overlooked.