Severity: HIGH — CVSS 3.1: 7.5  |  Patched: Within 7 days  |  Context: Responsible disclosure on live target

An Insecure Direct Object Reference (IDOR) vulnerability was identified in a UK-based booking platform. The flaw allowed any unauthenticated user to access, read, and enumerate other customers' reservation records by simply modifying a predictable integer ID in the request URL — no authentication, no authorisation bypass required.

During passive reconnaissance I observed the application's booking confirmation endpoint followed a sequential pattern: /api/bookings/12847. The ID was a simple incrementing integer with no additional validation token or ownership check on the server side.

Using Burp Suite's Repeater, I modified the numeric ID and issued the same GET request without any authentication cookie or bearer token attached. The API returned full reservation details for another customer — including name, email, phone number, booking dates, and payment reference number.

Server-side authorisation check on every request: verify that the authenticated user's session token matches the owner of the resource being requested. Implement non-guessable resource identifiers (UUIDs instead of sequential integers). Apply a deny-by-default access control policy — any resource access must be explicitly permitted, not merely unauthenticated.

Severity: HIGH — CVSS 3.1: 7.5  |  Patched: 14 days  |  OWASP API: API5:2023 — Broken Function Level Authorisation

A missing authorisation check on a REST API endpoint allowed unauthenticated access to a user enumeration route that should have been restricted to admin-level tokens only. The endpoint disclosed the email address, username, registration date, and account status of all registered users — a significant data exposure with both privacy and security implications.

While mapping the API surface during a passive reconnaissance phase, the endpoint GET /api/v2/admin/users was identified via JavaScript bundle analysis — the route was referenced in the minified frontend code but not exposed through the public API documentation.

Sending a request to this endpoint without any Authorization header returned a paginated JSON response containing all user records. The application performed no server-side validation of the caller's identity or role before returning this data.

The route was implemented during development with a middleware stub that was never populated with actual auth logic — a common pattern when admin functionality is scaffolded quickly and the security enforcement is deferred. In production, the stub remained in place and the route was never tested from an unauthenticated context before release.

Implement a middleware enforcement layer that validates the caller's JWT on every request to admin-scoped routes. Apply role-based access control (RBAC) with explicit allow-lists for endpoint access by role. Ensure all API routes are covered in security testing, including those not listed in public documentation — internal routes are often the most exploitable.

This post is for anyone standing where I was at the start of 2024 — interested in offensive security, unsure where to start, and overwhelmed by the noise of "learn hacking fast" content online. Here's what actually worked for me, laid out honestly.

Before touching a single security tool, spend time in a Linux terminal. You don't need to become a sysadmin — you need to be comfortable navigating the filesystem, using pipes, writing simple Bash commands, and understanding file permissions. OverTheWire Bandit is the single best free resource for this. Completing all 34 levels will give you more practical Linux fluency than most beginner courses.

TryHackMe has guided, structured learning paths with built-in hints and walkthroughs. HackTheBox is intentionally harder and more open-ended. Starting with TryHackMe's Jr Penetration Tester path is the right call — it teaches Burp Suite, Nmap, Metasploit, web application hacking, and privilege escalation in a logical order with explanation at each step. Only move to HackTheBox once you can complete TryHackMe machines without hints.

Forget CEH — it's expensive, vendor-focused, and relies heavily on multiple choice. A practical junior certificate is better than a paper-only route: choose training that forces you to enumerate, test, document, and explain findings rather than only memorising terminology. The goal is competence in labs first, then credentials that prove it.

Don't spend months passively consuming courses without practising. The ratio should be roughly 20% reading and 80% doing — running tools, hitting targets in lab environments, and failing repeatedly until it clicks. Security is a deeply practical discipline and no amount of theory replaces hands-on time. Start, make mistakes, learn from them, and document everything you discover.

Security Cyber started as an offensive security practice — web app pentesting, red team fundamentals, OSINT. That remains part of the offering. But my primary development focus has shifted clearly towards blue team and defensive security, and I want to explain why — and what that looks like in practice.

I find detection, analysis, and response work genuinely more interesting than pure exploitation. There's a different kind of problem-solving in a SOC investigation — building a timeline from fragmented log entries, identifying the one anomalous process in thousands of events, correlating network connections to a malware family. The detective work of defence is what I keep coming back to in lab sessions.

Practically speaking, the demand for qualified defensive security analysts is enormous and growing. The attack surface keeps expanding faster than defenders can cover it. SOC analysts, threat hunters, and DFIR specialists are consistently among the hardest roles to hire for. That matters when thinking about long-term career viability.

This is the part that's genuinely useful to understand. When I write a Sigma detection rule for Mimikatz credential dumping, I know exactly what process creates the LSASS access event, what the parent process looks like, and what the network pattern following a successful dump tends to be — because I've run Mimikatz in a lab and watched Sysmon generate those events in real time.

When I analyse a suspicious PowerShell command in a SIEM alert, I understand the -EncodedCommand flag and base64 obfuscation pattern because I've used them. That context closes investigation time. Most detection engineers without red team exposure would miss the significance of a one-line encoded command run from a Word macro process tree.

The offensive and defensive skills compound each other in both directions. Red team work produces better defenders. Blue team work produces more realistic red team assessments that focus on what actually gets through detection.

The site now keeps certification and badge claims tied to confirmed evidence: ISC2 Certified in Cybersecurity (CC), TryHackMe Jr Penetration Tester, Web Fundamentals, Pre Security, Cisco Introduction to Cybersecurity, top 3% TryHackMe ranking, 149+ TryHackMe rooms, 26 badges, and Hack The Box practice.

Future training can change quickly, so it is not listed as a public credential claim unless there is evidence to back it.