Overview
Ticket Sales focuses on an object authorization issue inside a purchase flow.
This lab applies IDOR thinking to business transactions. The key idea is that prices, products, tickets, and account-specific purchase objects must be validated server-side before a transaction is accepted.
Security Impact
IDOR in a checkout flow can lead to unauthorized discounts, incorrect pricing, manipulated purchases, or access to objects that belong to another user. For a ticketing product, that directly affects revenue and transaction integrity.
Vulnerability Scope
Ticketing systems, carts, checkout APIs, reservation flows, product variants, and purchase endpoints are exposed when client-supplied object references are trusted too much.
Lab Focus
The lab focuses on whether transaction objects are bound to the current user, why client-side state cannot be trusted, and how access control decisions affect business logic.
Related Labs
Related trainings
