Working on the 'Missing Authorisation' module for Practical Laravel Security and looking through my past audit findings for inspiration, but it's basically all just IDORs everywhere... 😭
I gotta think up some more creative challenges, changing a number in a URL is too easy! 🤔