KKeensafeBreach & Attack Sim
← All scenarios

bas-002 — API IDOR → customer data exposure

high · risk 78 · API

GET /api/v1/accounts/{id} returns account data for any id without ownership checks.

MITRE & OWASP

T1530 Data from Cloud StorageT1213 API1:2023 Broken Object Level Authorization

Preconditions

  • api.keensafeglobalbank.com reachable

Attack path

  1. attacker — GET /api/v1/accounts/1
  2. attacker — Iterate ids 1..100
  3. app — All accounts returned including balances and IBANs

Run

Running emits evidence JSON; no real exploitation runs.

View latest evidence 
(no output yet — click Simulate)

Remediation

Enforce per-object ownership check; require Bearer token; rate-limit.