A normal user should never be able to touch an admin’s data, but a broken authorization check on a delete endpoint made it trivial. This note covers the bug, the manual method used to confirm it, and where AI recon fits into finding these targets in the first place.

The IDOR that broke authorization

The target was a vendor-facing partnership platform with granular roles: admins who could create users, and lower-privilege accounts with read-only, edit, or invite-only permissions. Admins managed “retail chain” records (retail A, B, C) with create, edit, and delete controls that were only rendered in the admin UI. The flaw sat on the delete endpoint, shaped roughly like DELETE /vendor/retail-chain/delete/{id} where id was a small sequential integer. Two things combined to make it exploitable: the object reference was a low, guessable number (easy to enumerate or brute-force), and the server never verified that the caller’s role actually permitted the deletion. Because the ID was carried in the URL path rather than only in the body, tampering with it succeeded where body-only changes might have failed - a detail worth checking on every endpoint.

Confirming it with Burp and a swapped JWT

The confirmation was pure manual access-control testing in Burp Suite, and the method is the reusable part. First, log in as admin, intercept a legitimate delete request, and send it to Repeater - then drop the live request so nothing is actually deleted from the admin session. Next, log in as the low-privilege user, capture that account’s request, and inspect its JWT in Burp’s JWT tab to confirm the payload really shows the lower role (not admin). Then copy the normal user’s JWT into the admin-only delete request in Repeater and replay it. A properly secured endpoint returns 401 or 403; this one returned 200 OK and reported the owner as admin while still carrying out the deletion. Logging back in as admin confirmed the record was gone. The single validated ID earned $500, and the same application yielded several more findings. To scale this kind of testing, the presenter points to Burp’s Autorize extension, but stresses doing it by hand first so you understand the behavior before automating it.

Where AI recon actually fits

The bug itself was found by hand; AI enters at the recon stage, which is the real bottleneck in bug bounty - you have to discover vulnerable applications before other hunters do. The sponsored tool, PenLegend.ai (pitched as an “agentic AI hacker,” installed on Linux via dpkg on a .deb and macOS, Windows pending), takes a domain or IP and proposes a checklist of recon and scanning commands you can toggle on or off before running. It walks the standard pentest phases - recon and asset discovery, scanning, vulnerability identification, exploitation, verification, reporting - across a claimed 200+ integrated tools, then summarizes each tool’s output. In the demo against a deliberately vulnerable shop it surfaced findings like error-based SQL injection, directory listing on FTP, an unauthenticated admin API (broken access control), and stack-trace exposure leaking the Express version, and it even suggested follow-up commands such as an sqlmap run to exploit the SQLi. The honest framing: this is recon and triage acceleration, not the discovery of the $500 IDOR, which required human logic-flaw reasoning the automated scan would not have produced.

The repeatable lesson

Logic and authorization flaws like this IDOR are found by reasoning about who should be allowed to do what, then replaying requests across privilege levels to see if the server actually enforces it. Guessable sequential IDs plus a missing server-side role check is a recurring, high-impact pattern worth probing on every state-changing endpoint. AI tooling speeds up the recon and scanning that gets you in front of these apps faster, but the edge in bug bounty still comes from manual testing skill layered on top of that speed.

Key takeaways

  • Test every state-changing endpoint by replaying it with a lower-privilege token; a 200 where you expect 401/403 is a broken access control.
  • Small sequential object IDs are enumerable - combined with a missing role check they escalate straight to unauthorized deletion.
  • IDs in the URL path may be exploitable even when the same tampering in the request body is blocked.
  • Use Burp Repeater and the JWT tab to prove the role, drop live admin requests so you never destroy real data, and reach for Autorize only after you understand the flow.
  • AI recon (e.g. PenLegend.ai) accelerates asset discovery and scanning, but logic flaws still need human reasoning.

Sources