Ethical Hacking Academy · Lesson

Finding Common Bugs

IDOR, XSS, SSRF.

The Bread-and-Butter Bugs

A handful of vulnerability classes pay most bug bounties because they are common and impactful. Master these three first:

IDOR — accessing other users' data via predictable IDs
XSS — injecting script into a page
SSRF — making the server fetch attacker-chosen URLs

This lesson shows how to hunt each one methodically.

Understanding IDOR

Insecure Direct Object Reference (IDOR) happens when an app uses a user-supplied identifier to fetch an object without checking that the user owns it.

Change the ID, access someone else's data. It is an access-control flaw, not an injection.

# Your own invoice
GET /api/invoices/1001  Authorization: Bearer <your-token>

# Change the ID - do you get someone else's?
GET /api/invoices/1002  Authorization: Bearer <your-token>

All lessons in this course

Choosing Targets
Recon at Scale
Finding Common Bugs
Writing Great Reports

← Back to Ethical Hacking Academy