Anna Bacher

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

What if changing one number in a URL could expose 885 million documents? Learn how to find and fix this common vulnerability before attackers do.

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR
#1about 5 minutes

Understanding the IDOR vulnerability and its impact

IDOR (Insecure Direct Object Reference) is an OWASP Top 10 vulnerability that can lead to data leaks, account takeovers, and system crashes.

#2about 3 minutes

How a simple IDOR flaw caused a massive data breach

The First American Financial Corporation breach leaked 885 million documents because attackers could simply change a number in a URL to access unauthorized files.

#3about 15 minutes

A practical demonstration of exploiting IDOR vulnerabilities

Using Burp Suite and OWASP Juice Shop, an attacker can intercept requests to change basket IDs or modify other users' product reviews.

#4about 3 minutes

Examining IDOR vulnerabilities in major companies

Real-world examples from HackerOne show how IDOR vulnerabilities in companies like PayPal and Starbucks can lead to account takeovers and payment data exposure.

#5about 10 minutes

Why IDOR is difficult to prevent and tools that can help

Preventing IDOR is challenging because it requires manual access control checks, but tools like Code Property Graphs (CPG) and GitHub's CodeQL can help automate detection.

#6about 5 minutes

Using neural networks for advanced IDOR detection

By combining Code Property Graphs with neural networks, it's possible to detect IDOR vulnerabilities with higher accuracy and even generate automated code fixes.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Exploring recent AI incidents and creative developer hacks
06:44 MIN

Exploring recent AI incidents and creative developer hacks

WeAreDevelopers LIVE - SpeculAItions

Preventing broken object level authorization vulnerabilities
02:15 MIN

Preventing broken object level authorization vulnerabilities

Bullet-Proof APIs: The OWASP API Security Top Ten

Common security failures beyond individual coding errors
03:27 MIN

Common security failures beyond individual coding errors

Maturity assessment for technicians or how I learned to love OWASP SAMM

Focusing on key OWASP Top 10 risks for developers
02:39 MIN

Focusing on key OWASP Top 10 risks for developers

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue

Common web application threats like injection and DoS
02:52 MIN

Common web application threats like injection and DoS

Security in modern Web Applications - OWASP to the rescue!

Understanding recent infrastructure and code vulnerabilities
04:06 MIN

Understanding recent infrastructure and code vulnerabilities

WeAreDevelopers LIVE – AI vs the Web & AI in Browsers

Why developers make basic cybersecurity mistakes
02:26 MIN

Why developers make basic cybersecurity mistakes

Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes

Focusing on the top three OWASP security threats
04:01 MIN

Focusing on the top three OWASP security threats

It's a (testing) trap! - Common testing pitfalls and how to solve them

Featured Partners

Related Videos

See all videos
Security Blindspots and How to Learn About Them - Anna Oliveira26:28

Security Blindspots and How to Learn About Them - Anna Oliveira

Anna Oliveira

The attacker's footprint2:08:06

The attacker's footprint

Antonio de Mello & Amine Abed

Getting under the skin: The Social Engineering techniques43:56

Getting under the skin: The Social Engineering techniques

Mauro Verderosa

Cyber Security: Small, and Large!37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

Securing Your Web Application Pipeline From Intruders44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Related Articles

View all articles
DC
Daniel Cranney
Dev Digest 211: Securing Agents, Top AI Apps and Lost Readers…
Inside last week’s Dev Digest 211 . 🏗️ Can the infrastructure keep up with AI growth? 📱 Top 100 GenAI consumer apps 🪱 Wikipedia hit by worm and AI slop 🔍 The results of Codex Security scanning 1.2M commits 🧹 Bye bye innerHTML, welcome setHTML() 🔄 Cl...
Dev Digest 211: Securing Agents, Top AI Apps and Lost Readers…
CH
Chris Heilmann
Dev Digest 129 - Now that's what I call private data!
News and ArticlesAfter declaring Google a monopoly there are now considerations to force it to break up - isn't that what the whole Alphabet thing was about? In the last act of Crowdstrike coverage here, they released a deep analysis of the outage th...
Dev Digest 129 - Now that's what I call private data!
DC
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Inside last week’s Dev Digest 198 . 🎂 30 years of JavaScript ⏰ How long is a JavaScript second 💻 Clean code in Angular 🤦‍♂️ AI makes different mistakes than humans 👨‍💻 In-browser and offline AI 🟠 Undocumented Hacker News features 🐋 DeepSeek censored...
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
DC
Daniel Cranney
Dev Digest 194: AI vs. Version Control, Password Louvre & Cursed Webdev
Inside last week’s Dev Digest 194 . 🧠 Learn how to become an AI-native software engineer 🤷‍♂️ How can you stand out when anyone can build anything? 👂 Whisper Leak allows listening to encrypted chats 🐝 What’s new the OWASP2025 Top Ten List 🙅‍♀️ Curse...
Dev Digest 194: AI vs. Version Control, Password Louvre & Cursed Webdev

From learning to earning

Jobs that call for the skills explored in this talk.