In this recipe, we first checked the URL of the user's account settings and noticed that the application may distinguish users by a numeric ID. Then, we performed a request to change the user's information and verified the use of numeric identifiers.

Then, we attempted to replace the ID of the user, making changes to affect other users, and it turned out that RailsGoat makes a direct object reference to the object that contains the user's information and only validates with the user ID provided in the body of the same request to make changes. This way, as the attacker, we only needed to know the victim's ID to change their information, even the password, which allowed us to log in on their behalf.