The flashy bugs get the headlines. The bug that actually leaks the data is almost always this dull one: the app checks who you are and forgets to check whether you're allowed to see this specific thing.
That's IDOR, and its API-shaped sibling, BOLA (broken object level authorization), which sits near the top of the OWASP API list for a reason. Authentication asks "are you logged in?" Authorization asks "are you allowed to touch object 1042?" Skip the second question and GET /api/orders/1043 happily returns order 1042 when you ask for it.
The test that finds it reliably:
- Authenticate as user A, capture a request that returns A's data.
- Authenticate as user B in a second session.
- Replay A's request with B's session (and the reverse), swapping only the object identifier.
- Diff the responses. If B can read A's object, the diff lights up.
The lesson is the methodology, not the bug. A scanner won't find this for you, because it doesn't know what "someone else's data" looks like, you have to hold two identities at once and compare. I keep a tiny replay-and-diff tool for exactly this; it found the gap on crAPI in seconds.
The bouncer checks your ID at the door and then lets you walk straight into the vault. My whole job is to be the person who actually tries the vault door.