Bug Class Deep Dives
IDOR lives in the second identifier: finding BOLA with two-account Shadow Replay
Everyone fuzzes the ID in the URL path; the ID in the path is usually the one the app actually checks. The access-control bug is hiding in the account_id in the body, the node(id:) resolver, the async PDF job, and the PUT you never sent. Here's where BOLA really lives and how to diff it in two accounts.
Jul 4, 2026 · 8 min read