Skip to main content

Resources

  1. https://portswigger.net/web-security/access-control
  2. https://blog.detectify.com/2016/07/13/owasp-top-10-missing-function-level-access-control-7/
  3. https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_%28en%29.pdf.pdf
  4. https://owasp.org/www-community/Broken_Access_Control
  5. https://github.com/globocom/secDevLabs/tree/master/owasp-top10-2017-apps/a5/ecommerce-api
  6. https://github.com/globocom/secDevLabs/tree/master/owasp-top10-2017-apps/a5/tictactoe
  7. https://owasp.org/Top10/A01_2021-Broken_Access_Control/
  8. https://avatao.com/blog-broken-access-control/
  9. https://www.prplbx.com/resources/blog/broken-access-control/
  10. https://github-wiki-see.page/m/Muamaidbengt/juice-shop/wiki/Lab-04-Broken-Access-Control
  11. https://www.youtube.com/watch?v=94-tlOCApOc&t=5s
  12. https://book.hacktricks.xyz/pentesting-web/idor
  13. https://medium.com/@aysebilgegunduz/everything-you-need-to-know-about-idor-insecure-direct-object-references-375f83e03a87
  14. https://portswigger.net/web-security/access-control/idor
  15. https://thehackerish.com/idor-tutorial-hands-on-owasp-top-10-training/
  16. https://hackerone.com/reports/1085782 [An interesting report on an IDOR disclosing critical PII]
  17. https://medium.com/@gulprit_singh/account-takeover-through-idor-2e4a7882c334
  18. https://payatu.com/blog/prateek.thakare/broken-access-control
  19. https://galnagli.com/Samsung_Exposure/
  20. https://infosecwriteups.com/dank-writeup-on-broken-access-control-on-an-indian-startup-d29132a1ecd