Finding Your First Bug: Manual IDOR Hunting
InsiderPhD
@insiderphdAbout
Dr, apparently. Principal Security Researcher at Traceable by Harness, passionate about teaching all things application and API security, ex-Bugcrowd triager. #BugBounty hunter & #infosec YouTuber making videos about how to get into Bug Bounty, API security and Application Security. Hack the planet!
Latest Posts
Video Description
Hi everyone, welcome to the third video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target. In this video, we'll be talking about IDORs (Insecure Direct Object Reference), which is a fancy term for 'the application didn't authenticate an endpoint correctly'. These are great first bugs, they don't require any technical knowledge and you can just use burp to find them. 0:00 - Theory: what is an IDOR and how to find them 8:21 - Case studies: 7 examples of IDORs which have paid out 27:28 - Practical Burp: Looking at the Hacker101 CTF level "postbook" -- Case Studies -- - Response program can create bounty table - $500: https://hackerone.com/reports/460920 - [IDOR] Deleting other people's tasks - $300: https://hackerone.com/reports/293845 - IDOR bug to See hidden slowvote of any user even when you dont have access right - $300: https://hackerone.com/reports/661978 - Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts - $1,500: https://hackerone.com/reports/320173 and https://www.jonbottarini.com/2018/01/02/abusing-internal-api-to-achieve-idor-in-new-relic/ - Replace other user files in Inbox messages - $1,000: https://hackerone.com/reports/322661 - Low Privileged user able to add new Geographical settings to the Admin account. - $750: https://hackerone.com/reports/420130 - Validation message in Bounty award endpoint can be used to determine program balances - $1,500: https://hackerone.com/reports/293299 - IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users - $10,500: https://hackerone.com/reports/415081 -- You Should Also Watch -- Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty) - STÖK - https://www.youtube.com/watch?v=3K1-a7dnA60 -- Social Media -- - Twitter: https://twitter.com/InsiderPhD
You May Also Like
Essential Hacking Tools Kit
AI-recommended products based on this video
BrosTrend Linux USB WiFi Adapter 1200Mbps Supports Ubuntu, Mint, Debian, Kubuntu, Mate, Zorin, PureOS, Raspberry Pi 2+, Windows 11/10, USB3.0 Wireless Dual Band Wi-Fi 5GHz/867Mbps + 2.4GHz/300Mbps
BrosTrend 1800Mbps WiFi 6 Linux WiFi Adapter for PC and Raspberry Pi 2+, Long Range USB WiFi Dongle Linux for Ubuntu, Mint, Debian, Kubuntu, Lubuntu, Zorin, Windows 11/10, Dual Band Wireless Antenna
MeLE Quieter DL Mini PC Windows 11 Home, N100 4GB 128GB, 2.5G Dual LAN,IoT Industrial Desktop Computer Support Windows 10 11 Linux Ubuntu Debian 4K Triple Display, Dual HDMI, All-in-One USB-C
Wireless Print Server for USB Printer (NOT Plug&Play), 2 Port USB Print Server, Convert Wired Printer to Wireless WiFi Ethernet Networking - Windows Mac Linux Compliant - CR202
10.1 Inch Touch Portable Monitor IPS Screen 1366x768P 60Hz 400 Brightness 99% sRGB HDMI USB-C Monitors Switch for Xbox PS3/4/5 Laptop Compatible with Raspberry Pi, Mini Touch Screen
BrosTrend AX300 WiFi 6 USB WiFi Adapter for PC, Nano Size WiFi Dongle for Laptop Desktop, USB Wireless Adapter for Windows 11/10/7, 2.4GHz Only, 286Mbps, Wireless Network Adapter, OFDMA (NOT for MAC)
10Gtek USB WiFi Adapter, for PC, AC600M USB WiFi Dongle 802.11ac Wireless Network Adapter with Dual Band 2.4GHz/5Ghz for Desktop Laptop Support Windows 10/8/7/XP, MAC OS, Linux etc
USB WiFi Adapter, Aigital 600Mbps Mini Wireless Network Adapter USB WiFi Stick, High Speed Dual Band WiFi Dongle for Desktop Computer/Laptop/Game, Compatible with Windows 11/10/8/Mac OS, etc
1300Mbps Mini USB WiFi Adapter for PC, Skybess Dual Band (5G, 2.4G) Wireless Network Adapter for Desktop Laptop, High Speed WiFi Dongle Stick, Compatible with Windows 11/10/8.1/8/7/XP/Vista, Mac OS X
BrosTrend 1800Mbps USB WiFi 6 Adapter Long Range, High Gain USB WiFi Adapter for PC Desktop Laptop, Dual Band 5GHz 1201Mbps + 2.4GHz 574Mbps, WiFi Dongle w/ 2X Antennas, 802.11AX, for Windows 11/10
Nineplus 1300Mbps Dual 5Dbi Antennas 5G/2.4G WiFi Adapter for Desktop PC Laptop Windows11/10/8/7/Vista/XP, USB 3.0 Wireless Adapter for Desktop Computer Network Adapters
WiFi Extender Signal Booster Internet Boosters 1200 Mbps High Speed, 10,000 Sq. Ft Coverage, 4 External Antennas, Dual Band 1-Tap Setup for Home, Office, and Multi-Story House White
