The difference
netwons opened this issue · 3 comments
The difference both of them
check if the password change endpoint is vulnerable to IDOR
check if the password reset endpoint vulnerable to IDOR
password reset: when you forget your password and want to change it, the application sends a token or OTP to your email, then you use it to reset your password, you may find that the endpoint is relying on your ID or email address and vulnerable to IDOR
password change: when you are logged in, you can change your email or password or any other info, you may find that the endpoint is relying on your ID and vulnerable to IDOR
im not understand
password change example: https://rohit443.medium.com/idor-on-password-change-to-full-account-takeover-4d96b9f7f9f0
password reset example: https://medium.com/@swapmaurya20/a-simple-idor-to-account-takeover-88b8a1d2ec24