This has been my favorite (and most rewarding) bug since I started my bug bounty journey. I was hacking on a private program testing for SQL injection on API endpoints that contained some data value in the URL (like /api/user/1234). I was fuzzing the value with typical characters you would use to test for SQLi…

I was testing on a private program when I came across several endpoints that utilized a customer ID to retrieve information about that user’s account. I was going through each one testing for IDOR and not having any luck. The server was doing proper authorization checks and denying me access to other account’s data. I…