Overview
Change Password focuses on an account management workflow where the target user object is not protected strongly enough.
This lab covers IDOR in a sensitive identity function: a password change must be authorized for the authenticated user, not only shaped like a valid request.
Security Impact
IDOR in password management can lead to unauthorized account takeover, loss of user trust, and compromise of downstream data connected to the affected account.
Vulnerability Scope
Profile settings, password reset flows, account APIs, user management panels, and account forms are exposed when they accept user identifiers from the client without re-checking ownership.
Lab Focus
The lab focuses on whether account-changing actions are authorized for the current user and why sensitive state changes need object-level checks in addition to authentication.
Related Labs
Related trainings
