Anna Bacher

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

What if changing one number in a URL could expose 885 million documents? Learn how to find and fix this common vulnerability before attackers do.

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR
#1about 5 minutes

Understanding the IDOR vulnerability and its impact

IDOR (Insecure Direct Object Reference) is an OWASP Top 10 vulnerability that can lead to data leaks, account takeovers, and system crashes.

#2about 3 minutes

How a simple IDOR flaw caused a massive data breach

The First American Financial Corporation breach leaked 885 million documents because attackers could simply change a number in a URL to access unauthorized files.

#3about 15 minutes

A practical demonstration of exploiting IDOR vulnerabilities

Using Burp Suite and OWASP Juice Shop, an attacker can intercept requests to change basket IDs or modify other users' product reviews.

#4about 3 minutes

Examining IDOR vulnerabilities in major companies

Real-world examples from HackerOne show how IDOR vulnerabilities in companies like PayPal and Starbucks can lead to account takeovers and payment data exposure.

#5about 10 minutes

Why IDOR is difficult to prevent and tools that can help

Preventing IDOR is challenging because it requires manual access control checks, but tools like Code Property Graphs (CPG) and GitHub's CodeQL can help automate detection.

#6about 5 minutes

Using neural networks for advanced IDOR detection

By combining Code Property Graphs with neural networks, it's possible to detect IDOR vulnerabilities with higher accuracy and even generate automated code fixes.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Focusing on key OWASP Top 10 risks for developers
04:13 MIN

Focusing on key OWASP Top 10 risks for developers

Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue

Common web application threats like injection and DoS
07:33 MIN

Common web application threats like injection and DoS

Security in modern Web Applications - OWASP to the rescue!

Why developers are a prime target for attackers
00:03 MIN

Why developers are a prime target for attackers

You click, you lose: a practical look at VSCode's security

Hands-on security training for developers
14:17 MIN

Hands-on security training for developers

How GitHub secures open source

Preventing broken object level authorization vulnerabilities
01:38 MIN

Preventing broken object level authorization vulnerabilities

Bullet-Proof APIs: The OWASP API Security Top Ten

Identifying top security risks with the OWASP Top 10
05:12 MIN

Identifying top security risks with the OWASP Top 10

Plants vs. Thieves: Automated Tests in the World of Web Security

Understanding recent infrastructure and code vulnerabilities
21:15 MIN

Understanding recent infrastructure and code vulnerabilities

WeAreDevelopers LIVE – AI vs the Web & AI in Browsers

Five common cybersecurity mistakes developers make
18:51 MIN

Five common cybersecurity mistakes developers make

Don't Be A Naive Developer: How To Avoid Basic Cybersecurity Mistakes

Featured Partners

Related Videos

See all videos
Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Security Blindspots and How to Learn About Them - Anna Oliveira26:28

Security Blindspots and How to Learn About Them - Anna Oliveira

Anna Oliveira

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Stranger Danger: Your Java Attack Surface Just Got Bigger1:58:59

Stranger Danger: Your Java Attack Surface Just Got Bigger

Vandana Verma Sehgal

Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Can Machines Dream of Secure Code? Emerging AI Security Risks in LLM-driven Developer Tools35:37

Can Machines Dream of Secure Code? Emerging AI Security Risks in LLM-driven Developer Tools

Liran Tal

Related Articles

View all articles
DC
Daniel Cranney
Dev Digest 194: AI vs. Version Control, Password Louvre & Cursed Webdev
Inside last week’s Dev Digest 194 . 🧠 Learn how to become an AI-native software engineer 🤷‍♂️ How can you stand out when anyone can build anything? 👂 Whisper Leak allows listening to encrypted chats 🐝 What’s new the OWASP2025 Top Ten List 🙅‍♀️ Curse...
Dev Digest 194: AI vs. Version Control, Password Louvre & Cursed Webdev
CH
Chris Heilmann
Dev Digest 129 - Now that's what I call private data!
News and ArticlesAfter declaring Google a monopoly there are now considerations to force it to break up - isn't that what the whole Alphabet thing was about? In the last act of Crowdstrike coverage here, they released a deep analysis of the outage th...
Dev Digest 129 - Now that's what I call private data!
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Dev Digest 170: All things MCP, huge login data leaks and web privacy
Inside last week’s Dev Digest 170 . 🙌 MCP - Hype or hope? 🤖 Hidden costs of AI coding 😬 2 billion Discord messages leaked 🕵️ W3C releases web privacy principles ⚠️ Detecting malicious unicode 🎂 The history of JavaScript and Java at 30 ▦ A Tailwind g...
Dev Digest 170: All things MCP, huge login data leaks and web privacy

From learning to earning

Jobs that call for the skills explored in this talk.

Platform Engineer

Platform Engineer

Dedge Security
Boiro, Spain

Bash
DevOps
MongoDB
Terraform
PostgreSQL
+5