Anna Bacher

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

What if changing one number in a URL could expose 885 million documents? Learn how to find and fix this common vulnerability before attackers do.

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR
#1about 5 minutes

Understanding the IDOR vulnerability and its impact

IDOR (Insecure Direct Object Reference) is an OWASP Top 10 vulnerability that can lead to data leaks, account takeovers, and system crashes.

#2about 3 minutes

How a simple IDOR flaw caused a massive data breach

The First American Financial Corporation breach leaked 885 million documents because attackers could simply change a number in a URL to access unauthorized files.

#3about 15 minutes

A practical demonstration of exploiting IDOR vulnerabilities

Using Burp Suite and OWASP Juice Shop, an attacker can intercept requests to change basket IDs or modify other users' product reviews.

#4about 3 minutes

Examining IDOR vulnerabilities in major companies

Real-world examples from HackerOne show how IDOR vulnerabilities in companies like PayPal and Starbucks can lead to account takeovers and payment data exposure.

#5about 10 minutes

Why IDOR is difficult to prevent and tools that can help

Preventing IDOR is challenging because it requires manual access control checks, but tools like Code Property Graphs (CPG) and GitHub's CodeQL can help automate detection.

#6about 5 minutes

Using neural networks for advanced IDOR detection

By combining Code Property Graphs with neural networks, it's possible to detect IDOR vulnerabilities with higher accuracy and even generate automated code fixes.

Related jobs
Jobs that call for the skills explored in this talk.

d

Saby Company
Delebio, Italy

Junior

job ad

Saby Company
Delebio, Italy

Intermediate

Matching moments

Preventing broken object level authorization vulnerabilities
01:38 MIN

Preventing broken object level authorization vulnerabilities

Bullet-Proof APIs: The OWASP API Security Top Ten

Focusing on key OWASP Top 10 risks for developers
04:13 MIN

Focusing on key OWASP Top 10 risks for developers

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue

Common security failures beyond individual coding errors
05:28 MIN

Common security failures beyond individual coding errors

Maturity assessment for technicians or how I learned to love OWASP SAMM

Common web application threats like injection and DoS
07:33 MIN

Common web application threats like injection and DoS

Security in modern Web Applications - OWASP to the rescue!

Why developers make basic cybersecurity mistakes
00:28 MIN

Why developers make basic cybersecurity mistakes

Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes

Why developers are a prime target for attackers
00:03 MIN

Why developers are a prime target for attackers

You click, you lose: a practical look at VSCode's security

Focusing on the top three OWASP security threats
05:11 MIN

Focusing on the top three OWASP security threats

It's a (testing) trap! - Common testing pitfalls and how to solve them

Hands-on security training for developers
14:17 MIN

Hands-on security training for developers

How GitHub secures open source

Featured Partners

Related Videos

See all videos
Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

The attacker's footprint2:08:06

The attacker's footprint

Antonio de Mello & Amine Abed

Can Machines Dream of Secure Code? Emerging AI Security Risks in LLM-driven Developer Tools35:37

Can Machines Dream of Secure Code? Emerging AI Security Risks in LLM-driven Developer Tools

Liran Tal

Stranger Danger: Your Java Attack Surface Just Got Bigger1:58:59

Stranger Danger: Your Java Attack Surface Just Got Bigger

Vandana Verma Sehgal

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 129 - Now that's what I call private data!
News and ArticlesAfter declaring Google a monopoly there are now considerations to force it to break up - isn't that what the whole Alphabet thing was about? In the last act of Crowdstrike coverage here, they released a deep analysis of the outage th...
Dev Digest 129 - Now that's what I call private data!
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
CH
Chris Heilmann
Dev Digest 116 - WWWAI?
This time, learn how to un-AI Google's search results, what's new on the web, avoid a new security hole and go back to BASICS with us. News and ArticlesWhat a week. Google, Microsoft, OpenAI and many others had their big flagship events announcing th...
Dev Digest 116 - WWWAI?
CH
Chris Heilmann
Dev Digest 112 - The True Crime of AI Development
In last Friday's Dev Digest, we had some great AI news, some worrying security threats and a swipe-aware game in CSS with explanations! News and ArticlesLet's kick off with some AI news. Netflix caused a stir with AI-generated images in a true crime ...
Dev Digest 112 - The True Crime of AI Development

From learning to earning

Jobs that call for the skills explored in this talk.