This is a starter/example post. Replace it with your real writeup.
During a private engagement I found what looked like a low-severity IDOR on an order-details endpoint. On its own it leaked another tenant's order metadata — annoying, but not critical.
The chain
- The
idparameter accepted any order ID with no ownership check. - Order objects embedded the customer's password-reset token.
- That token could be replayed against the public reset endpoint.
Chained together, a "low" became a full account takeover for any user whose order ID I could guess or enumerate.
Takeaways
- Always test what data an IDOR exposes, not just that it exists.
- Reset tokens should never be embedded in unrelated objects.
- Severity is about impact of the chain, not the single bug.