Comment by _benj

On a previous role I decided to open ZAP for a quick debugging, but during it I decided to just edit the user id that was being sent on my request, and to my horror our app sent sent me all the data for whatever user id I would send!

This was a project that had millions of dollars in man hours and where many developers with a lot more experience than me had worked for years…

Bottom line, they had a monkey patch custom framework that wad just Django without documentation and with huge security holes…

I sometimes wonder if that industry exists because if suits don’t see a $30k to fix checking an user id, they couldn’t be bothered to have engineers do “useless” tickets to pen test their own systems