Tales from the Trace:
Finding IDORs with Agentic Reasoning
Join XBOW’s Offensive Security Engineers for a deep, trace-level walkthrough of how real Insecure Direct Object References (IDORs) are discovered and exploited in practice, using two 0-day vulnerabilities found in the Spree eCommerce framework.
We’ll show how XBOW’s IDOR module reasons about authorization boundaries where traditional scanners stop at linear checks and error responses.
Tune in and see:
Two real Spree zero-day IDORs: unauthenticated and cross-cart billing/shipping address access, walked through trace by trace.
Why scanners fail at IDORs: linear ID probing and response diffing break as soon as authorization logic and state come into play.
How XBOW finds them instead: agentic reasoning over objects, roles, and auth states, with access to real data.
Meet our Speakers
Fernando Diaz
Offensive Security Engineer
Adrian Losada Pita
Offensive Security Engineer
.avif)