"Easiest" Beginner Bugs? Access Control and IDORs
Рет қаралды 19,065
Күн бұрынWhenever someone asks what bug they should look for I always say IDORs/access control issues particularly across large enterprise level apps (think Atlassian), where you have complex access control rules. While these bugs don't requite advanced technical skills they do require a lot of manual testing, but when you're still looking for your first bug you have a lot of time.
This series couldn't happen without the support of our sponsor Bugcrowd, Bugcrowd is the best place to start hacking with a wide range of public and private programs from APIs to Desktop Applications and everything in between. Not ready to jump into a public program yet? Fill out your platform CV and sign up for a waitlisted program. Tell Bugcrowd a bit about your skills, previous certifications or experience and they’ll match you up with the right program using their industry-leading CrowdMatch technology. Whatever your level, there’s a place for you in the crowd. You can sign up with my link here: bugcrowd.com/user/sign_up.
- Social Media -
Discord: insiderphd.dev/discord
Patreon: / insiderphd
Twitter: / insiderphd
@firosiam7786 Жыл бұрын
Wow this took like forever to come out glad it came .
@V.WalkingTours 19 күн бұрын
Hi Kattie! I watch a lot of your videos and I keep watching them and learning! I don't know if i this video, but I came here to tell you that I found my first IDOR and looks quite serious because I can log in other users account too! Thank you so mucho for your content and This course is great!
@tobihier Жыл бұрын
I sincerely hope you know how much your videos are helping me on my journey. Thank you 🙏
@cesarconterno4962 6 ай бұрын
Huge thanks for the awesome video walkthrough on bug bounty hunting and access control! It was seriously eye-opening, and I learned so much from your clear explanations and practical example.
@flintstones6728 Жыл бұрын
Today is a beautiful holiday.And the second thing is the expected video, thank you very much❤❤❤❤❤❤
@SantiagoARosas Жыл бұрын
I just started in this career. Few days ago the magic of the algorithm put me your awesome content. Thanks for share 💚 Saludos
@friend-el3fc 28 күн бұрын
literally you are the best !! please keep on posting Bug Bounty videos
@taiwomiracleveecthor2617 Жыл бұрын
Thank you Ma for the update
@JohnJohn-sf1df Жыл бұрын
Keep the Bug Bounty videos coming!
@The_reaperBH 2 ай бұрын
Busted!!!🔥🔥🔥looking for more videos like this🔥🔥🔥🔥
@Makingmoneyonli 5 ай бұрын
Great content Thank you for all these videos really helped me through my journey
@katwitt95 2 ай бұрын
thank you so much for this video!!
@nazneenzafar743 Жыл бұрын
Thanks for this lecture, I was learning about IDOR from portswigger but your video explainer really has help to understand why IDOR exist in the first place. May be my next bounty would come from IDOR.
@SyedImran-qf1eh Жыл бұрын
Hello zafar, Can we find through mobile phone.
@nazneenzafar743 Жыл бұрын
@@SyedImran-qf1eh I am not sure; i only do bug hunting through my Laptop which has Kali linux installed.
@SyedImran-qf1eh Жыл бұрын
Okay, How we find through Kali Linux. I heard that we need burp suite software to find vulnerabilitys.
@nazneenzafar743 Жыл бұрын
@@SyedImran-qf1eh This chennel has already made good videos on how to use burp suite. kzfaq.info/get/bejne/i82SjNKrrpqXZoE.html
@amoh96 Жыл бұрын
hello how i can contact you im beginner i have alot of qst if u answer me i'll be happy & thank you brother
@shuvonsec Жыл бұрын
This video is very useful for me.. 💗 Please complete this bug bounty hunting Crouse.
@tobysonline4356 Жыл бұрын
I can’t thank you enough for these!
@nazneenzafar743 Жыл бұрын
I like how the database at 7:22 has customer table with characters from Simpsons, Futurama and Family guy.
@ismailachabi8627 Жыл бұрын
thank you so much
@AliIssa1 Жыл бұрын
Really awesome content! I am currently working on a video explaining IDOR and showing how we can find these types of vulnerabilities using Autorize. Do you use Authorize? I find it really useful.
@InsiderPhD Жыл бұрын
I do! I actually made a video about it, I wish they fixed the bad UI though, it's super confusing for beginners
@bitdetaglobal Жыл бұрын
thank you
@HEXiT_ Жыл бұрын
thanks
@joaopaulogv 2 ай бұрын
thank u so much for this great content! does companies paid bug bounties for discoveries like ID database exposure? like the example you have around ID (12) and the UUID as key id to look for data in database.
@InsiderPhD 2 ай бұрын
Not usually but if you find an IDOR on a app that uses UUID you can boost the severity
@rb-py5cv Жыл бұрын
Thank ma'am please share the video early as possible so we follow in certain time because some video are in the more days gap
@InsiderPhD Жыл бұрын
Yeah sorry about that, videos have to go through my own editing, plus bugcrowd's review and since we're in Australia, the US and UK timezones don't always quite match up for weekend releases!
@VasheshJ Жыл бұрын
Thanks for this lecture, although I had a question. This attack scenario relies on an attacker being able to retrieve the victims "Session Key" value. If we are not able to get the session key, then it is not a vulnerability, right?
@InsiderPhD Жыл бұрын
Afraid not, your best bet if to see if you can do some cross user interaction (do something on account A when using account Bs session) or generate a session for any user
@quanghuyang2822 9 ай бұрын
Hi, I'm new to the world of security administration, and I was hoping to get some guidance from someone with your expertise. Do you have any advice on mapping out a career path in this area?
@mohamedyousry9374 6 ай бұрын
The video is truly awesome! In the 'Account Containers' section, you mentioned that you'll provide a method in the description to match the Burp Suite pad with the Firefox Multi-Account Containers. Could you please share the details? Thanks in advance!
@InsiderPhD 5 ай бұрын
“PwnFox” full video should be out in a week or so :)
@badxcode Жыл бұрын
Does IDOR and BOLA same thing? If not, what's the difference between them? While showing IDOR, the user was accessing another user's document at 5:40, while discussing BOLA at 8:30, it sounded like the same thing. Can anybody explain it further?
@chabuhi Жыл бұрын
IDOR and BOLA are the same.
@badxcode Жыл бұрын
@@chabuhi yeah, I googled about it and found out similar answers. Thanks buddy.
@ENGCYVyasaRaj Жыл бұрын
thanks for this content i find a bug and reported my job is done
@itinsider22 11 ай бұрын
hi! at 18:22 how changing cookie of another user and get his access! how it is a vulnerability?? i think it is a normal cookie behaviour because it is used to identify user... i was reported that type of report but it was rejected...
@InsiderPhD 11 ай бұрын
Because we are using the cookies of account A to affect account B, it's the ability to change a resource owned by another user. If you're using the cookies of A and affecting resources owned by that user it's not a vulnerability which is why your report was rejected. We change the cookies because it's easier than logging out of one account, logging in to another, every single endpoint
@ByteHax_ Жыл бұрын
Love from india sister ❤❤❤
@DJUNOS Жыл бұрын
love your British accent
@learn-with-noob-007 Жыл бұрын
I'm first 😂❤ Love your content 😊
@hrishikeshdahale4640 Жыл бұрын
Aww I was just 5 min late
@mamunwhh 8 ай бұрын
You change A's cookie to B's cookie. But how to attacker find victim user cookies? Please reply. Thanks❤
@InsiderPhD 8 ай бұрын
You don’t: all you’re doing is simulating logging into another account and performing actions on the first account. You don’t need As cookies to affect account A.
@ENGCYVyasaRaj 8 ай бұрын
@@InsiderPhD then this is not a access control because there is no any security impact on the account without Knowing their credentials how to get their session key
@ajp2279 Жыл бұрын
I'f the accsses control manufactor is known you can just look up engineer code and your in.
@SyedImran-qf1eh Жыл бұрын
Hello Mam, I don't have laptop or Computer. So how can I hack through phone can you please give me advice. And how we can find secrets leaks in github please give me some suggestions.
@InsiderPhD Жыл бұрын
GitHub secrets there's a tool called trufflehog which can do it for you. How to use your phone, I am not an expert but a lot of people recommend googledorking, you'll probably get more luck on twitter :)
@SyedImran-qf1eh Жыл бұрын
@@InsiderPhD thanks for the replying.
@hunterone7072 Жыл бұрын
How user B find user A job request..how it possible??🙄
@InsiderPhD Жыл бұрын
You create both users :), it simulates you knowing the request + any parameters but being able to affect another account
@ReligionAndMaterialismDebunked Жыл бұрын
Pokémon! Hehe. #90sKidHere.
@ReligionAndMaterialismDebunked Жыл бұрын
Early 🔥🤝
@medogamer8524 10 ай бұрын
IM Definitly marrying someone with the same accent that you have
@ChineseRatfaceCHANG Ай бұрын
Just a heads up, theres almost no work in this field and if you havent been doing this stuff since 16 or younger youll be lacking skills against other candidates. Cs degree + multiple pentesting certifications doesnt help anymore
Kirill Multitool
Рет қаралды 72 МЛН
Garena Free Fire Global
Рет қаралды 44 МЛН
Bug Bounty Reports Explained
Рет қаралды 22 М.
thehackerish
Рет қаралды 22 М.