The difference

Question

The difference

netwons opened this issue 3 years ago · 3 comments

The difference both of them

check if the password change endpoint is vulnerable to IDOR

check if the password reset endpoint vulnerable to IDOR

Answer 1 · 2021-11-01T08:25:19.000Z

password reset: when you forget your password and want to change it, the application sends a token or OTP to your email, then you use it to reset your password, you may find that the endpoint is relying on your ID or email address and vulnerable to IDOR
password change: when you are logged in, you can change your email or password or any other info, you may find that the endpoint is relying on your ID and vulnerable to IDOR

Answer 2 · 2021-11-01T11:36:03.000Z

im not understand

Answer 3 · 2021-11-01T12:18:33.000Z

password change example: https://rohit443.medium.com/idor-on-password-change-to-full-account-takeover-4d96b9f7f9f0

password reset example: https://medium.com/@swapmaurya20/a-simple-idor-to-account-takeover-88b8a1d2ec24