THIS IS WHAT I CALL MASS IDOR

Hi, I'm Muhammad Talha a security researcher from Pakistan. It was necessary though you aren't here to know my biography. 

So it happened a while ago when I found an interesting IDOR in an application.
Let's assume application as 'example.com'.
So when I opened the application there was no option to Sign Up with any email or number but you can only register yourself by providing an invite code provided by web owners or administrators. 
I analyze that there is no rate limiting on the application so what if I brute force the 6 digit invite code. Boring? huh!        

But wait turbo intruder is here to help. I just pick the wordlist of 6 digits from my SecLists folder and started brute force. It didn't take more than 10 minutes and burp's turbo intruder provide me 20 to 30 invite codes.
I register the user and logged in. Tried many things but found nothing.        

In response to a request, I saw "isAdmin=false". I'll be like let's make it true. I tried many things like giving my own parameter, changing server's response, changing the value of admin to true in request etc. but it didn't help out.
Then I again capture all requests in burp and started to carefully analyze. After carefully analyzing all requests and spending couple of hours I found that I found nothing.
....................
Burning out knowing there is something wrong but I'm not able to pick. I took a break and after break i think for like 15 minutes that what I'm missing and there wasn't any thing but there was a thing I realized after sometime that only requests that I left are that Sign Up requests I haven't visited after log in.        

So let's go there. When I again registered I realize that there is no invite code going in that request so a user having one invite code can register as many accounts as he/she want But I'm not here for that.         

Just changed role to admin and boom!!!!        

What??????????? Did you notice "isSuperAdmin" in response?????? 
Now there is a superAdmin ......!!!        

Change roles to superAdmin and................         

If you analyze the requests you'll come to know there are some more IDOR here so yes there are. I found an IDOR that leads to ALL USERS ACCOUNT TAKEOVER and another IDOR that leads to change users data and then account takeover because email and password were in request field.         

If you find it helpful in anyway let me know. So that I have motivation to write more...................................!!!!!!!!        

GOOD Byeeeee!!!!