Рет қаралды 8,404
In part 3 of this series, we combine what we learned in the previous videos to build a cohesive methodology to hunt for IDORs and Access Control Violations on complex attack vectors with multiple layers of validation.
We also explore testing on a desktop application, as well as through a WebSocket connection, for added complexity.
00:00 - Introduction
00:52 - Review IDORs & Access Control Violations
04:28 - Bug Bounty Hunting on Desktop Apps
06:08 - Complexity & Tech Debt = Bugs
09:09 - WebSockets: What, Why, & How?
12:53 - Shut Up and Hunt!
13:23 - Setting Up Burpsuite
16:50 - Routing the Windows OS Proxy Through Burpsuite
18:16 - Downloading the Figma Desktop App
19:20 - Installing the Figma Desktop App
22:50 - Differences Between Desktop App & Browser App
24:41 - Notes are Mandatory
25:39 - Registering Our First User Account
28:32 - Exploring the Figma Application
34:14 - Creating New Teams in Figma
37:53 - Visualizing the Application in XMind
41:48 - Logging Into the Desktop Application
44:00 - Inviting Users to Our Teams
51:51 - A Quick Tip About Postmessages [@r00tdaddy|@pashakenobi|@liardom]
52:20 - Updating Our Notes
54:30 - Finding Application Boundaries to Test
58:25 - Creating New Projects in Figma
1:05:23 - Creating New Files in Figma
1:08:29 - Identifying Objects for IDORs
1:10:30 - Identifying Mechanisms for Access Control Violations
1:20:25 - Testing Our First Attack Vectors
1:26:13 - Testing Differences Between Desktop App & Browser
1:31:16 - Reducing the HTTP Request
1:35:10 - Four IDOR Attack Vectors in One Request?!
1:41:00 - Testing Combinations of Attack Vectors
1:50:10 - Identifying Mass Assignment in the Figma API
1:56:00 - Finding Attack Vectors for RBAC Testing
1:59:18 - Testing Differences Between Desktop App & Browser
2:02:51 - Testing Multiple Application Boundaries in One Request
2:08:33 - Finding Unique Identifiers for Team Objects
2:13:30 - Testing Boundary 1: IDOR
2:28:25 - Identifying Validation Patterns
2:36:43 - Testing Boundary 2: RBAC
2:44:45 - Finding Valuable Attack Vectors (VAVs)
2:53:17 - Testing VAV1: Moving a File to Project
3:03:38 - Testing VAV2: Adding a User to a Project
3:35:14 - Access Control Testing Desktop Endpoint In Browser
3:45:48 - IDOR Testing in WebSockets
3:59:17 - What is the Purpose of These Videos???
4:02:10 - Summary of What We Learned
Hire Me! - ars0nsecurity.com
Watch Live! - / rs0n_live
Free Tools! - github.com/R-s0n
Connect! - / harrison-richardson-ci...