#NahamCon2024

Рет қаралды 5,186

Ай бұрын

LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍
In the talk "GraphQL is the New PHP," we dive into how to find bugs in GraphQL, similar to early PHP days. It's all about sharing tips and tricks for bug bounty hunters to spot security issues. This talk is like a collection of what I've learned, the mistakes I made, and some wins along the way.
📚 If you want to learn bug bounty hunting from me: bugbounty.nahamsec.training
💻 If you want to practice soem of my free labs and challenges: app.hacking.hub.io
🔗 LINKS:
📖 MY FAVORITE BOOKS:
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities -amzn.to/3Re8Pa2
Hacking APIs: Breaking Web Application Programming Interfaces - amzn.to/45g4bOr
Black Hat GraphQL: Attacking Next Generation APIs - amzn.to/455F9l3
🍿 WATCH NEXT:
If I Started Bug Bounty Hunting in 2024, I'd Do this - • If I Started Bug Bount...
2023 How to Bug Bounty - • How to Bug Bounty in 2023
Bug Bounty Hunting Full Time - youtu.be/watch?v=ukb79vAgRiY
Hacking An Online Casino - youtu.be/watch?v=2eIDxVrk4a8
WebApp Pentesting/Hacking Roadmap - youtu.be/watch?v=doFo0I_KU0o
MY OTHER SOCIALS:
🌍 My website - www.nahamsec.com/
👨‍💻 My free labs - app.hackinghub.io/
🐦 Twitter - / nahamsec
📸 Instagram - / nahamsec
👨‍💻 Linkedin - / nahamsec
WHO AM I?
If we haven't met before, hey 👋! I'm Ben, most people online know me online as NahamSec. I'm a hacker turned content creator. Through my videos on this channel, I share my experience as a top hacker and bug bounty hunter to help you become a better and more efficient hacker.
FYI: Some of the links I have in the description are affiliate links that I get a a percentage from.

Пікірлер: 23

@joy3658 Ай бұрын

IT's 3.55 I am on now. Just Awesome and great talk. Keep up the great work, Ben! You are giving gems to the community. Thanks man.

@detecht Ай бұрын

That was super cool. Amazing work, Lupin. And the presentation was awesome. Thank you, Nahamsec!

@1ko9 Ай бұрын

Thank you Lupin for this great presentation and Ben for sharing these great presantations with us!

@alientec258 29 күн бұрын

Thank you so mutch Lupin for this awesome presentation . Ben thx for sharing , grateful for it my Friend

@harshil. 29 күн бұрын

Amazing presentation, whoever does the marketing/graphic design for Lupin is the 🐐

@zzzzzzzzZzZZzzzaZzz 29 күн бұрын

that was a pretty cool Finding! especially the widespread vuln sounds interesting

@MarkFoudy Ай бұрын

Thank you, Ben!

@crusader_ Ай бұрын

The slides are very fun to watch

@breakoutgaffe4027 Ай бұрын

Great talk!

@crusader_ Ай бұрын

Hell yeah

@123454321pavel Ай бұрын

What was the impact of the last vulnerability? Attacker could bruteforce secrets of users via csrf?

@jannmoon 19 күн бұрын

This is a good dude 🥂

@KarahannAe 26 күн бұрын

<a href="#" class="seekto" data-time="666">11:06</a> this tool sounds really useful. Is there a link for it?

@normalitee0os 21 күн бұрын

How exactly is the SOP bypassed in the last vulnerability?

@Test-ny6uh Ай бұрын

#NahamCon2024

@cowid 15 күн бұрын

SOP doesnt allow you to send requests cross-sites. In SOP there is the letter O, which stands for Origin. An origin is not a site, those are two different concepts. And by definition, SOP does not protect from CSRF. It protects from COW (Cross Origin Writes). I like the energy and the enthusiasm, we need that in the field, but if you want to present something and don't want to sound like you dont know what you're talking about, I would suggest you do your homework before. Thank you for sharing anyway.

@baraamansi7637 14 күн бұрын

Actually he is right , If the content-type was application/json this would be considered as not-simple request for the browser and would require a preflight request which would block the XS-search(Get based CSRF) request because its not a trusted origin

@cowid 13 күн бұрын

@@baraamansi7637 Re-read my comment, thank you.

@baraamansi7637 13 күн бұрын

@@cowid I'm aware of my comment bro, If there is anything wrong with his concepts then you can mention the timeline and explain your opinion ,otherwise I'm not seeing what are you pointing for

@cowid 12 күн бұрын

@@baraamansi7637 I'm not your bro son, for one thing. Secondly, it's not a coNcEpT problem. It's a terminology problem. Words and acronyms have meaning. Throwing a bunch of acronyms around without understanding what they entail makes you sound like someone who does't fucking know what you're talking about. For the timeline, you can refer to the entire video that is pretty much glib the entire time. To answer specifically your question, 20 mins mark: "...authorized by the same origin policy to be sent cross-site". SOP doesnt allow or prevent from accessing resources cross sites. Again, re-read my first comment. Sites and origins are two different things. We can go on all day like that, bro.

@baraamansi7637 12 күн бұрын

@@cowid Take it easy man,It's not that massive problem if he did a little mistake, As long as the concepts are valid and there is benefit it's totally fine to share we are not perfect .Secondly,There is no need for the agressive attitude brooo, LOL

@trustedsecurity6039 Ай бұрын

With all the ads around i've vomited... After a few minutes go full screen... I dont even understand why sponsor are needed on a Twitch stream but meh