00 — Overview

FirstBank — Account Statements

Account numbers are sequential. The server never checks ownership. One request away from reading every customer's balance and transaction history.

Beginner·20 min·3 tasks

// By the end of this module

→Find and exploit IDOR in a banking API to access other accounts

→Enumerate account numbers to discover sensitive financial data

→Chain account enumeration with data exfiltration

// Prerequisites

Access Control · Beginner

50 min

Brute Force · Beginner

30 min