I tried.
If I write “Wow, great advice!” the the comment stays.
If I share a critical opinion - it gets shadow banned.
Now about one senior advice on Reddit (and there are many like this).
The advice: Test that User A cannot access User B’s data. You should get a 403 Forbidden.
This is very bad advice.
If a system returns 403, it means:
1 the resource exists.
2 the access check happens after identification.
Which means:
- you can iterate IDs
- you can enumerate users
- you can measure response time
- you can eventually find an edge case where it’s no longer 403
👉 This is a classic IDOR / enumeration entry point. A real security vulnerability.
This is exactly the kind of thing I’m building RENTGEN to detect automatically. I’ll leave the GitHub repo link in the comments for anyone interested.
Top comments (1)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.