How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR
What if changing one number in a URL could expose 885 million documents? Learn how to find and fix this common vulnerability before attackers do.
#1about 5 minutes
Understanding the IDOR vulnerability and its impact
IDOR (Insecure Direct Object Reference) is an OWASP Top 10 vulnerability that can lead to data leaks, account takeovers, and system crashes.
#2about 3 minutes
How a simple IDOR flaw caused a massive data breach
The First American Financial Corporation breach leaked 885 million documents because attackers could simply change a number in a URL to access unauthorized files.
#3about 15 minutes
A practical demonstration of exploiting IDOR vulnerabilities
Using Burp Suite and OWASP Juice Shop, an attacker can intercept requests to change basket IDs or modify other users' product reviews.
#4about 3 minutes
Examining IDOR vulnerabilities in major companies
Real-world examples from HackerOne show how IDOR vulnerabilities in companies like PayPal and Starbucks can lead to account takeovers and payment data exposure.
#5about 10 minutes
Why IDOR is difficult to prevent and tools that can help
Preventing IDOR is challenging because it requires manual access control checks, but tools like Code Property Graphs (CPG) and GitHub's CodeQL can help automate detection.
#6about 5 minutes
Using neural networks for advanced IDOR detection
By combining Code Property Graphs with neural networks, it's possible to detect IDOR vulnerabilities with higher accuracy and even generate automated code fixes.
Related jobs
Jobs that call for the skills explored in this talk.
Dev Digest 129 - Now that's what I call private data!News and ArticlesAfter declaring Google a monopoly there are now considerations to force it to break up - isn't that what the whole Alphabet thing was about? In the last act of Crowdstrike coverage here, they released a deep analysis of the outage th...
Chris Heilmann
Dev Digest 138 - Are you secure about this?Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Chris Heilmann
Dev Digest 134 - Where pixels sing?News and ArticlesWeAreDevelopers LIVE Data and Security Day is on Wednesday, 25/09/2024. Learn about OPC UA Updates, Best Practices for Using GitHub Secrets, Passwordless Web 1.5, Emerging AI Security Risks, Data Privacy in LLMs and get a chance to t...
Chris Heilmann
Dev Digest 116 - WWWAI?This time, learn how to un-AI Google's search results, what's new on the web, avoid a new security hole and go back to BASICS with us. News and ArticlesWhat a week. Google, Microsoft, OpenAI and many others had their big flagship events announcing th...
From learning to earning
Jobs that call for the skills explored in this talk.
2:08:06
43:56
58:19
37:32
44:30
29:34
37:36
27:32
