IDOR Leads to ATO

  • While Proxifying the trafiic with burp suite i Looked up some functions like change-password feature

  • I noticed the part that contains username but i cant edit the username on it

  • After sending acorrect request and the password successufully changed

  • In burp the request was sple api request with parameters username and newpassword

  • So I Edited the username parameter to another username and it worked i changed other user's password

PreviousExploiting Weak CryptographyNextAndroid App Fundamentals

Last updated