Are all stateless authentication systems vulnerable to IDOR?
I have recently been introduced to the Insecure Direct Object Reference vulnerability (https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html) with the example of an attacker copying a known payload from authenticated user 1 to authenticated user 2.
In a traditional session cookie based authentication system, I'm not terribly worried (yet!) about full payloads being copied from one already-authenticated user to another already authenticated user.
But in systems that are stateless, aren't they by definition vulnerable to IDOR? Maybe copy-pasting payloads isn't the best way to demonstrate the issue, but perhaps through storing a JWT in localStorage and then collecting the payload and JWT through XSS?
Indirect Object Reference Maps as a remediation feel like a 'stateful' solution.
Not trying to equate all JWT systems with this example. Just trying to understand and open to being wrong