Finding Your First Bug: Manual IDOR Hunting

Подписаться 80 тыс.

Просмотров 76 тыс.

50% 1

Hi everyone, welcome to the third video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.
In this video, we'll be talking about IDORs (Insecure Direct Object Reference), which is a fancy term for 'the application didn't authenticate an endpoint correctly'. These are great first bugs, they don't require any technical knowledge and you can just use burp to find them.
0:00 - Theory: what is an IDOR and how to find them
8:21 - Case studies: 7 examples of IDORs which have paid out
27:28 - Practical Burp: Looking at the Hacker101 CTF level "postbook"
-- Case Studies --
- Response program can create bounty table - $500: hackerone.com/reports/460920
- [IDOR] Deleting other people's tasks - $300: hackerone.com/reports/293845
- IDOR bug to See hidden slowvote of any user even when you dont have access right - $300: hackerone.com/reports/661978
- Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts - $1,500: hackerone.com/reports/320173 and www.jonbottarini.com/2018/01/...
- Replace other user files in Inbox messages - $1,000: hackerone.com/reports/322661
- Low Privileged user able to add new Geographical settings to the Admin account. - $750: hackerone.com/reports/420130
- Validation message in Bounty award endpoint can be used to determine program balances - $1,500: hackerone.com/reports/293299
- IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users - $10,500: hackerone.com/reports/415081
-- You Should Also Watch --
Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty) - STÖK - • Burp Suite tutorial: I...
-- Social Media --
- Twitter: / insiderphd

Опубликовано:

29 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 87

@ark3r745 4 года назад

The best and most honest bug bounty hunter in the sec community, you have no idea about the help that you are doing to others .... thanks alot

@ggmaxx66 3 года назад

"populate burp with admin endpoints then hit them all as a user..." a golden nugget for me, thanks!

@bobmatley6138 3 года назад

your videos actually explain hacking the the purest and most direct way! I am learning soo much! I plan to literally memorise all your videos!

@encodedguy9182 4 года назад

Thank You so much i heard about IDOR somewhere but didn't understand that time. By watching your video it is so much clear to me now. Thank you so much

@myname-mz3lo 3 года назад

you explain things so well and are verry thoughtfull of what its like to be a beginer , thank you

@eed5278 4 года назад

You're amazing. Thanks for contributing to the community, I hope to be able to do the same one day :)

@InsiderPhD 4 года назад

Please do! It's all I ask of my viewers who enjoy my content to please contribute back to the community, by sharing resources, talking to other newbie hackers, to write up interesting things they've found or even re-explain a resource for humans, there's a lot someone can contribute even if they haven't found their first bug yet.

@yodamaxwell 2 года назад

Thank you very much, for the explanation, keep up the good work!

@StefanRows 4 года назад

Great explanation Katie! Thanks!

@trieulieuf9 4 года назад

Me when submitting a report: write everything carefully, double check, accept my report please. The guy in 13:03 : Fix this!

@cyberpirate007 3 года назад

Why u deleted your h1 account ??

@trieulieuf9 3 года назад

@@cyberpirate007 no i am still here, hackerone.com/trieulieuf9?type=user

@lilp4p1 4 года назад

Really good proctical demo tbh even if it's a ctf I do find it very instructfull

@aashikyadav4439 4 года назад

idor = Insecure Direct Object Reference which tells you fucking nothing . your voice is amazing im loving it and you are doing great. thank you for this.

@mohitnegi552 3 года назад

amazing video for bug hunters thankyou so much

@abj1985 2 года назад

Very nicely explained. Thank you.

@regulator5 4 года назад

Very helpful. Keep making videos, please.

@helalsadat2077 18 дней назад

i have watched this video 1 and half month ago and i was able to identify a function prone to IDOR , i spent 20 days on that function and at the End i was able to bypass the access controls and view invoices, billing addresses, finance records, my report is triaged and waiting for bounty , thank you this video really gave me an Idea where to look for IDORs :) , But now i am watching it again since i started API hacking and i hope i will learn something new again in this video about API hacking

@rajatdutta8365 3 года назад

Nice explanation, really appreciate it. Thanks again

@anujpatel1654 3 года назад

I am going to watch every single video on your channel

@m.alaiady3627 4 года назад

I really was confused about this IDOR term , but after watching this video it really help me a lot and it satisfy my points .. thanks again 🙏🏻

@droidhackerr 3 года назад

You are the first and best 🖤💯

@chrisMa001 3 года назад

Thank you for the great content, I am a beginner and would like to know how to create a working PoC to demonstrate how would an attacker use the idor vulnerability to attack? Thank you

@ihebhamad1477 9 дней назад

Thank you for this great explanation

@cutyoursoul4398 3 года назад

Super useful video, thanks

@justtsanjint626 4 года назад

Thank you for the video

@Mike-vq7hl 3 года назад

Thank you for your work

@jadigger8695 3 года назад

Ohhh mike 069 * _ *

@Agung-yk7hr 4 года назад

Your video very easy to understand can you upload more video 😁😁

@olivia7988 4 года назад

Very useful!! Thankss

@nornsalon3646 4 года назад

You're the best!

@santiagosurt3825 Год назад

I'm noobie and this video is amazing for people like me, thanks!

@benasin1724 4 года назад

Great video

@opeyemei6011 4 года назад

This is good.. thanks

@theodorpapa4710 Год назад

really nice video im 15 and trying to learn bbh especially idors nice video

@alexnieto3136 4 года назад

This is one of the finest videos I saw on this matter. I have a question, do you think that when pentesting android apps through Google Play program is it valid for bounty to find IDORs in the endpoints that android app uses (not in the android code itself)?

@InsiderPhD 4 года назад

This is debatable, some programs will count that as the android app and some as the API. If the android app is in scope without excluding the API I would say that it is valid. I think it's a great easy way to get into android pentesting though! You can definitely find some low hanging fruit bugs!

@AndrejMoharWeb 4 года назад

Hello! Thank you so much for so many great videos. I especially like how all of them are geared towards becoming a real professional in the field. I do have a question, though: I've heard on your videos (and many others, like Stok's) that you mention using privileged (and unprivileged) accounts, alongside being signed out. I was wondering how do usually bug hunters get a privileged account, seeing as you usually can't just create one (you can usually create just an unprivileged user account). Does that mean only on programs that support that or is there usually a possibility to contact them and get a test high privilege account? Thanks!

@InsiderPhD 4 года назад

Yeah you’re correct, when we say that we’re talking about applications with permission levels that we can access, so on an app like Wordpress we have access to admin, user, guest by creating our own blogs but for something like email we only have access to a user, so that’s all we can test.

@bugsbunny6286 4 года назад

Any tool to easily guess this different id parameter variables ?

@rushic24 4 года назад

OMG you're the best, can you please make owasp top 10 hunting.

@InsiderPhD 4 года назад

Soooooon(tm)

@Nick-cy2qd 3 года назад

If you (Burp actually) finds "password in the URL" of GET is that a type of IDOR and how do I proceed?

@ahmed_gamal2006 4 года назад

You are amazing your videos are really helping me. Just one question what do you mean by find endpoint. Thank you.

@InsiderPhD 4 года назад

An endpoint is just a URL which does something on a web app, like if you have mywebsite.com/users/changeProfilePicture which changes the profile picture, that's an endpoint. When I say find them I mean do things on the application to fill up Burp with lots of URLs until you find something with an ID!

@ahmed_gamal2006 4 года назад

@@InsiderPhD Thank you for the reply

@steev910 4 года назад

ohhh thank you so

@almmathis 4 года назад

I became WAY more interested once she started cussing. My attention was fading...and the keywords popped me right back in!

@InsiderPhD 4 года назад

LMAO! I'll have to start swearing more!

@almmathis 4 года назад

@@InsiderPhD On a serious note I have watched most of your videos at this point! Really good content, likes and subs from me!

@sarahconnorh4609 2 года назад

I have been looking for IDOR for days now but couldn't find at least one very low... Any idea what i'm doing wroong?

@hossamshady1383 5 месяцев назад

you are great

@nikhilmaan9498 2 года назад

thank you soo much i found my fist bug

@bobmatley6138 3 года назад

With IDORS, the entry point for IDORS can be used for other injection attacks. if an IDOR was a UID0=, and the UID was queuing the users db, then can you launch other injection attacks, like SQL injection or stoed XSS?

@InsiderPhD 3 года назад

Yup, absolutely, this is actually something in the OWASP top 10, as often they aren't sanitised properly :)

@tommysuriel 4 года назад

I've been bug hunting for like a month now, I've been looking for IDORs, CSRFs, XSS, HTML injection, Open Redirects. I can't find any websites (domains and subdomains) on H1 or Bugcrowd vulnerable to these vulnerabilities. I admit though for XSS I only know the basics and how to use a payload list on burpsuite. But still I can't find anything, Any tips? Should I focus on the more advanced ones like RCE and SQL injection?

@InsiderPhD 4 года назад

I think you just need to keep at it, I know it’s frustrating but they are there. Maybe look into a less crowded space like mobile? Might be worth a shot. Ignore SQL injection and RCEs, you won’t find one, they are for people with years of security experience. My top pieces of advice: 1) make sure you check everything, like even endpoints which may not be particularly useful 2) focus on bugs which can generate impact and be constantly on the lookout for them 3) Cast a wide net, and keep trying if you find public programs too difficult get invites to private programs via stuff like the hacker101 ctf 4) Find a niche, maybe learn mobile stuff, maybe go deep into learning a ton about APIs 5) keep trying! Bug hunting is harder than it looks but you will get there if you try

@tommysuriel 4 года назад

@@InsiderPhD Thank you so much, and thanks for your videos

@fuckitimsayingit3335 4 года назад

It takes time to find your first one! It gets easier tho, the best thing you can do is keep trying.

@baravind719 4 года назад

Need that doc

@mooreprr8067 2 года назад

You are fucking amazing! sending all positive vibrations your way :)

@BearMeOut 4 года назад

maybe other people will be a successful bug hunter in the future after watching the video. If it was me, after I got my first $10k from bounty, im gonna donated back to many education RU-vidr who put free stuff like this. If you don't feel okay from taking patreon money, maybe put link to a charity organization that you like. Thanks for doing this! Looking forward for more videos!

@InsiderPhD 4 года назад

I only ask that people pay it forward, write about a bug you find, get involved in the community, help purchase learning mateirals for others, mentor someone, give out some tips on twitter. I'm far more interested in people helping others to learn and join this community than money!

@w0lverinew0lverine19 4 года назад

you are amazing. great content. how can i contact with you?

@mubashirparay545 4 года назад

Very good content, i am glad to find such content. THANKSS!! Mam. One thing, why are u exhaling so heavily sometimes. Is it the excitement of capturing the flag or some other issue.

@InsiderPhD 4 года назад

Haha I'm just asthmatic and a big nervous when I make videos!

@rawkstar952 3 года назад

hello Katie. Is Intigrity limited to European hackers only?

@InsiderPhD 3 года назад

Nope! It’s just they focus on European hackers! You can hack on any platform from anywhere :)

@rawkstar952 3 года назад

@@InsiderPhD thank you so much. by the way, i'm currently on Intigrity and trying to find an Info Disclosure whilst watching your tips and tricks on how to do so. Good luck to me!

@swaysthinking838 4 года назад

Can anyone explain to me easily what she means when she's talking about endpoints? Thanks. 7:41

@InsiderPhD 4 года назад

Endpoint just means a webpage you can send stuff too. So what I’m saying is if you see something in burp like: /pages/admin/createPost you should replace the cookies of an admin user with lower permission users eg a guest user, I hope this helps!

@swaysthinking838 4 года назад

@@InsiderPhD So you mean when we are in some sort of admin endpoint, replacing the admin's cookies with a lower permission user's cookies(for example, session id) is an example of IDOR?