Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The difference #2

Closed
netwons opened this issue Nov 1, 2021 · 3 comments
Closed

The difference #2

netwons opened this issue Nov 1, 2021 · 3 comments

Comments

@netwons
Copy link

netwons commented Nov 1, 2021

The difference both of them

check if the password change endpoint is vulnerable to IDOR

check if the password reset endpoint vulnerable to IDOR
@aufzayed
Copy link
Owner

aufzayed commented Nov 1, 2021

password reset: when you forget your password and want to change it, the application sends a token or OTP to your email, then you use it to reset your password, you may find that the endpoint is relying on your ID or email address and vulnerable to IDOR
password change: when you are logged in, you can change your email or password or any other info, you may find that the endpoint is relying on your ID and vulnerable to IDOR

@netwons
Copy link
Author

netwons commented Nov 1, 2021

im not understand

@aufzayed
Copy link
Owner

aufzayed commented Nov 1, 2021

password change example: https://rohit443.medium.com/idor-on-password-change-to-full-account-takeover-4d96b9f7f9f0

password reset example: https://medium.com/@swapmaurya20/a-simple-idor-to-account-takeover-88b8a1d2ec24

@aufzayed aufzayed closed this as completed Nov 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@netwons @aufzayed