web IDOR with MongoDB: understanding ObjectID Given their complex appearance, some would think that exploiting IDOR based on MongoDB's ObjectID would be difficult. This is not the case as the ObjectID is not random
web Account enumeration on web applications Why a generic message to prevent user enumeration is an acceptable user experience degradation to improve security