All labs
Lab 45
Secure Architecture

Broken Access Control (IDOR)

The exact healthcare breach: logged in as one patient, change the record id in the URL. Without a server-side ownership check you read someone else's report; with it you get 403. Login is not authorization.

You're logged in as Alice, patient #1001 (authenticated ✓). Now change the patient id in the request and send it — with and without a server-side ownership check.
Request
GET /api/patient/1001Authorization: Bearer (Alice)
change id:
🔑 Authentication (who are you?)
Solved by login — Alice's token is valid. ✓ This part already works.
🛡️ Authorization (what may you access?)
The missing check — does Alice own this record? Without it, login means nothing.
What just happened