Hunting for IDOR and BAC Vulnerabilities in B2B Applications with Burp Suite’s Authorize Extension

Thexssrat
4 min readOct 31, 2024

In today’s fast-paced world of agile development and B2B (business-to-business) applications, security professionals and bug bounty hunters alike are constantly on the lookout for vulnerabilities. Two prominent types are Insecure Direct Object References (IDOR) and Broken Access Control (BAC). These vulnerabilities can be game-changers when uncovered, especially given the criticality of B2B systems which often contain sensitive data or core business functions.

This article will guide you through using Burp Suite’s Authorize extension to identify these vulnerabilities, with practical examples and tips on effective testing techniques. With agile release cycles and frequent updates, even if the team has secured 99.4% of the endpoints, there’s always a chance to find that obscure feature or hidden parameter that opens the door to privilege escalation or unauthorized access.

Overview of IDOR and BAC

What is IDOR?

Insecure Direct Object References (IDOR) occur when an application allows users to access objects, like records or files, directly through a reference without proper access control checks. If a user has direct access to objects they shouldn’t, it can lead to unauthorized data…

--

--

Thexssrat
Thexssrat

Written by Thexssrat

No b*llshit Hacking tutorials with extreme value in short bursts

No responses yet