Anna Bacher

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

What if changing one number in a URL could expose 885 million documents? Learn how to find and fix this common vulnerability before attackers do.

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR
#1about 5 minutes

Understanding the IDOR vulnerability and its impact

IDOR (Insecure Direct Object Reference) is an OWASP Top 10 vulnerability that can lead to data leaks, account takeovers, and system crashes.

#2about 3 minutes

How a simple IDOR flaw caused a massive data breach

The First American Financial Corporation breach leaked 885 million documents because attackers could simply change a number in a URL to access unauthorized files.

#3about 15 minutes

A practical demonstration of exploiting IDOR vulnerabilities

Using Burp Suite and OWASP Juice Shop, an attacker can intercept requests to change basket IDs or modify other users' product reviews.

#4about 3 minutes

Examining IDOR vulnerabilities in major companies

Real-world examples from HackerOne show how IDOR vulnerabilities in companies like PayPal and Starbucks can lead to account takeovers and payment data exposure.

#5about 10 minutes

Why IDOR is difficult to prevent and tools that can help

Preventing IDOR is challenging because it requires manual access control checks, but tools like Code Property Graphs (CPG) and GitHub's CodeQL can help automate detection.

#6about 5 minutes

Using neural networks for advanced IDOR detection

By combining Code Property Graphs with neural networks, it's possible to detect IDOR vulnerabilities with higher accuracy and even generate automated code fixes.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

See all videos
The attacker's footprint2:08:06

The attacker's footprint

Antonio de Mello & Amine Abed

Getting under the skin: The Social Engineering techniques43:56

Getting under the skin: The Social Engineering techniques

Mauro Verderosa

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Cyber Security: Small, and Large!37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

Securing Your Web Application Pipeline From Intruders44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

You can’t hack what you can’t see29:34

You can’t hack what you can’t see

Reto Kaeser

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

From learning to earning

Jobs that call for the skills explored in this talk.

AI Engineer Security

Paradigma Digital
Municipality of Madrid, Spain

API
Azure
Python
FastAPI
Computer Vision
+3

Penetration Tester

Investigo Limited
Wokingham, United Kingdom

130-136K
API
Bash
NMap
Python
+5