IDOR – Execute JavaScript into anyone account

Hey guys, New blog post about critical IDOR issue which I found in terapeak.com which allows attackers to change any user information and delete any saved bulk search remotely through one’s own account by just changing the Token id in Put and DELETE Request. The request for change and save search info looks like:

…