Autorize & IDOR: How a Simple Token Swap Exposed Sensitive Data

About Me

Hi everyone! My name is Satyam Pawale, also known as @hackersatty in the bug bounty world. I started bug hunting in 2024 and have been passionate about finding security vulnerabilities ever since.

This blog is meant to share my experience and help others learn from it. If you like it or have any feedback, feel free to drop a comment below. Let’s get started!

Read Full Article Here, Who Dont have Membership: LINK

Introduction

In this report, we will detail a critical Insecure Direct Object Reference (IDOR) vulnerability that allows unauthorized users to access restricted data on a web application. This issue poses a high-security risk as it exposes sensitive details due to improper access controls.

By leveraging Burp Suite’s Autorize extension, we identified and confirmed the vulnerability, demonstrating that insufficient role validation in API and GraphQL queries allows unauthorized users to retrieve restricted information. This article provides a comprehensive impact analysis, detailed steps to use Autorize, and recommended mitigations to help prevent unauthorized access.

Understanding Autorize and Its Role in Finding IDOR

What is Autorize?

Autorize is a Burp Suite extension designed to detect authorization flaws by automatically…