Chapter 2

Broken Access Control

IDOR, missing role checks, and the "just check user_id" rule.

~15 min total2 lessonsAssignment

By the end of this chapter you'll be able to

Spot an IDOR in a code review
Add authorization checks the right way

Lessons

Module: Attack + defend

IDOR — the most common bug in the wild

Cross-account access by guessing IDs.

8mmedium

The authz package

Centralized authorization in Grit and how to use it.

7mmedium

Chapter assignment

Exploit + patch an IDOR

In a fresh Grit project, create two users (A and B), one note owned by A. As B, attempt to PATCH and DELETE A's note. Document the exploit, then add the authorization check. Re-test — must return 403.

See success criteria

Lesson 1 takes ~8 min.

Start chapter

Spot a typo? Have an idea?

Help us improve this chapter. One click opens a GitHub issue with this chapter's URL pre-filled — suggest a clearer wording, report a bug, or request a new lesson. The course keeps improving thanks to learners like you.

Suggest an improvement on GitHub

ch.1: The Attacker's Mindset ch.3: Injection & SSRF