Really awesome content! I am currently working on a video explaining IDOR and showing how we can find these types of vulnerabilities using Autorize. Do you use Authorize? I find it really useful.
thank u so much for this great content! does companies paid bug bounties for discoveries like ID database exposure? like the example you have around ID (12) and the UUID as key id to look for data in database.
Does IDOR and BOLA same thing? If not, what's the difference between them? While showing IDOR, the user was accessing another user's document at 5:40, while discussing BOLA at 8:30, it sounded like the same thing. Can anybody explain it further?
Thanks for this lecture, although I had a question. This attack scenario relies on an attacker being able to retrieve the victims "Session Key" value. If we are not able to get the session key, then it is not a vulnerability, right?
Afraid not, your best bet if to see if you can do some cross user interaction (do something on account A when using account Bs session) or generate a session for any user
Hi, I'm new to the world of security administration, and I was hoping to get some guidance from someone with your expertise. Do you have any advice on mapping out a career path in this area?
You don’t: all you’re doing is simulating logging into another account and performing actions on the first account. You don’t need As cookies to affect account A.
@@InsiderPhD then this is not a access control because there is no any security impact on the account without Knowing their credentials how to get their session key
Hello Mam, I don't have laptop or Computer. So how can I hack through phone can you please give me advice. And how we can find secrets leaks in github please give me some suggestions.
GitHub secrets there's a tool called trufflehog which can do it for you. How to use your phone, I am not an expert but a lot of people recommend googledorking, you'll probably get more luck on twitter :)
Huge thanks for the awesome video walkthrough on bug bounty hunting and access control! It was seriously eye-opening, and I learned so much from your clear explanations and practical example.
Thanks for this lecture, I was learning about IDOR from portswigger but your video explainer really has help to understand why IDOR exist in the first place. May be my next bounty would come from IDOR.
Yeah sorry about that, videos have to go through my own editing, plus bugcrowd's review and since we're in Australia, the US and UK timezones don't always quite match up for weekend releases!
Hi Kattie! I watch a lot of your videos and I keep watching them and learning! I don't know if i this video, but I came here to tell you that I found my first IDOR and looks quite serious because I can log in other users account too! Thank you so mucho for your content and This course is great!
hi! at 18:22 how changing cookie of another user and get his access! how it is a vulnerability?? i think it is a normal cookie behaviour because it is used to identify user... i was reported that type of report but it was rejected...
Because we are using the cookies of account A to affect account B, it's the ability to change a resource owned by another user. If you're using the cookies of A and affecting resources owned by that user it's not a vulnerability which is why your report was rejected. We change the cookies because it's easier than logging out of one account, logging in to another, every single endpoint
The video is truly awesome! In the 'Account Containers' section, you mentioned that you'll provide a method in the description to match the Burp Suite pad with the Firefox Multi-Account Containers. Could you please share the details? Thanks in advance!