How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR
What if changing one number in a URL could expose 885 million documents? Learn how to find and fix this common vulnerability before attackers do.
#1about 5 minutes
Understanding the IDOR vulnerability and its impact
IDOR (Insecure Direct Object Reference) is an OWASP Top 10 vulnerability that can lead to data leaks, account takeovers, and system crashes.
#2about 3 minutes
How a simple IDOR flaw caused a massive data breach
The First American Financial Corporation breach leaked 885 million documents because attackers could simply change a number in a URL to access unauthorized files.
#3about 15 minutes
A practical demonstration of exploiting IDOR vulnerabilities
Using Burp Suite and OWASP Juice Shop, an attacker can intercept requests to change basket IDs or modify other users' product reviews.
#4about 3 minutes
Examining IDOR vulnerabilities in major companies
Real-world examples from HackerOne show how IDOR vulnerabilities in companies like PayPal and Starbucks can lead to account takeovers and payment data exposure.
#5about 10 minutes
Why IDOR is difficult to prevent and tools that can help
Preventing IDOR is challenging because it requires manual access control checks, but tools like Code Property Graphs (CPG) and GitHub's CodeQL can help automate detection.
#6about 5 minutes
Using neural networks for advanced IDOR detection
By combining Code Property Graphs with neural networks, it's possible to detect IDOR vulnerabilities with higher accuracy and even generate automated code fixes.
Related jobs
Jobs that call for the skills explored in this talk.
Dev Digest 214: Claude Is Leaking, GitHub Is Listening & Axios Hacked!Inside last week’s Dev Digest 214 .
🕵️ Claude source code leaked, analysed and re-written in 2 days
🐙 GitHub auto-opts users into feeding their code to train their AI
🌐 Pretext shows how to show complex text rendering in the browser
🤖 How to securin...
Chris Heilmann
Dev Digest 129 - Now that's what I call private data!News and ArticlesAfter declaring Google a monopoly there are now considerations to force it to break up - isn't that what the whole Alphabet thing was about? In the last act of Crowdstrike coverage here, they released a deep analysis of the outage th...
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI Inside last week’s Dev Digest 198 .
🎂 30 years of JavaScript
⏰ How long is a JavaScript second
💻 Clean code in Angular
🤦♂️ AI makes different mistakes than humans
👨💻 In-browser and offline AI
🟠 Undocumented Hacker News features
🐋 DeepSeek censored...
Daniel Cranney
The Overflow: 5 Security and Privacy Tools for DevelopersWe’re back again with another edition of the Overflow, where we share some of the best tools we’ve found from around the web that we just couldn’t cram into the already jam-packed editions of the Dev Digest.
So let’s take a look at five security and ...
From learning to earning
Jobs that call for the skills explored in this talk.
26:28
2:08:06
43:56
37:32
44:30
58:19
37:36
27:32
