Overview
Invoices focuses on an access control weakness where customer invoice records are referenced directly by the application.
The page is about document access: an invoice identifier may be visible or guessable, but that should never be enough to view another user's private business data.
Security Impact
IDOR in invoice workflows can expose billing records, customer information, payment details, or business relationships. The result is privacy exposure, compliance risk, and unauthorized access to sensitive account data.
Vulnerability Scope
Invoice pages, order history screens, downloadable documents, account portals, and record APIs are exposed when predictable identifiers are fetched without ownership checks.
Lab Focus
The lab focuses on object-level authorization, the difference between authentication and authorization, and why every sensitive record access needs a server-side ownership check.
Related Labs
Related trainings
