Hey Everyone! Just want to give a quick update on my IDORs and Access Controls Part III video: As I'm recording this video, I'm realizing that this will end up being another 4-5 hour recording 😨, and as much as I want to get this video out to the community, I also don't want to rush it. Now that we've got the basic knowledge from the last two videos, I think I have a really great opportunity to take my time and demonstrate a very effective and cohesive methodology. Then downside is that it simply takes time to get all that knowledge in the video. I promise I will get this video out to y'all as soon as I can! However, I also promise not to rush out an inferior video just to keep my numbers up in the algorithm, which hopefully is better for everyone!
Great video man! This is substantial knowledge. Awesome! Other creators don't share things like this due to the fact they make more competition in bug bounty.
Yes, there is a ban on publishing the bug bounty process, but the creator's explanation is great for beginners like me. It helps to step up, when others are asked how to report a valid bug, even if it's a duplicate, person simply replies "watch youtube"
i love the video and how you explain everything and go down paths even tho you most likely know its wrong you test until its confirmed really helps a new guy like me learn the methodology keep up the good work!!!
can't find better video like this on the youtube , Really a leader u are to beginners.. Please keep on uploading with different vulnerabilities so that our knowledge keeps increasing.😇
i love the way of how you're taking notes man and that really enlightens me.. maybe i should do the same when bug hunting and setting up pointers.. you have my full respect brother!
I dont think i have ever left a comment on a youtube video, but i just wanted to reach out and thank you for this! the way you sit and explain the little details is just amazing. Its almost like you can hear me mumbing to myself "wtf does that mean" lmao Definitely gained me as a subscriber!
The majority of logical flaws are inherently simple, regardless of the number of cases examined. It is essential to conduct a comprehensive testing process and analyze the website from scratch in order to accurately assess its integrity. This approach ensures transparency and truthfulness in the evaluation
Great Content man, Can you please do a detailed video on XSS. Like how do you actually find it in the real life, how to start testing process, when do you stop testing, which req is most vulnerable like text/html . I have this doubt in my mind that i am not good at finding it. Again great content. Please keep them coming.❤
a good program to hunt for IDORs It has to have authenticated testing and you have to be able to get multiple different accounts. taking notes is mandatory for this type of testing 19:05 first we need to identify how the application is pulling larger data sets and identifying the user. 1:03:48 left
Once again a great Tutorial! Thank you so much for that explanations! I'm really interested in your subdomain enumeration, maybe you could show us that in a future video :)
Good morning "Mas", thank you very much for the video. I am from Indonesia feel very grateful for the video, I would like to ask, Is there a roadmap next, for someone who has just jumped into Bug Bounty? The first step to understanding IDOR, maybe the next you can tell. Thank you "Mas". Greetings from me in Central Java Island, Indonesia. (Name is pseudonymous only)
@@setanalaz bootcamp banyak, cuma kebanyakan make lab, jadi kurang worth it menurutku. Belum kalau ketemu cookie seasion dan parameter id di sembunyiin bukan tulisan id.
I think you are the first person i ever see on youtube showing real life bb. many other people just waste people time with enum and stuff like that to keep the people subbing to their channel without giving real content worth watching. in a different note, since the server was not validating the signature, why you didnt make your own token?
Hi, great video, it really help us to see how you hunt for bug. Can't wait to see your live hacking video. Could be great to have a second part and see you hunt for other vulnerability.
thank you..very valuable knowledge. Can you record a video of the activity when doing IDOR and it is successful then upload the video to UA-cam when the vulns has been resolved?. this must be very interesting.
at 1:01:30 keeping auth token beside we can try to change the email of current account inside jwt to see if we can get the credit card of another user? can't we do that or not? somone?
bro i am not from usa, i am from india,and i tried to access the singapore website but it shows that i dont have access so I used the vpn and changed to virginia and created 2 accounts, but the burp proxy and vpn are clashing and i am not able to intercept through burp, any advice bro ?
Love the videos. Question for you. I am looking at starting bug hunting however, my laptop does not have the resources available to create VM's. Can VMs created in the cloud (AWS) bue used for bug hunting? thank you.
Hello very good video ....i just have a question how to bypass errors like the bad request that u ve got and how to when to quit digging in same mechanishm and know that there is no bug here ...thank you
Thank you!! You probably won't be able to bypass errors when you get them. The error usually means that the control is working properly. Keep in mind that IDORs are not injections, they are simply testing if the app is working how it should. You don't need to bypass anything, there is enough complexity in these applications that there always new places to test. There's no general rule to know when to stop testing, it's really about understanding the application. You need to know how the app is designed to function, then you try to make it break those rules.
Wouldnt it be possible to swap the payload and see at what point the change occurs? Or maybe not payload, token, idk im very new to all this. I mean are they valid if you just swap them or does it know that the token belongs to a different session or something?
![[Part II] Bug Bounty Hunting for IDORs and Access Control Violations](http://i.ytimg.com/vi/jTdqM2aO4Ys/mqdefault.jpg)
![[Part II] Bug Bounty Hunting for IDORs and Access Control Violations](/img/tr.png)
Finally someone explaining with real website. I was looking for this..This was very easy to follow as a beginner in bug bounty hunting,
Finally someone shares real life experience in bug bounty and actually shows how real world works. Thank you
Hey Everyone! Just want to give a quick update on my IDORs and Access Controls Part III video:
As I'm recording this video, I'm realizing that this will end up being another 4-5 hour recording 😨, and as much as I want to get this video out to the community, I also don't want to rush it.
Now that we've got the basic knowledge from the last two videos, I think I have a really great opportunity to take my time and demonstrate a very effective and cohesive methodology. Then downside is that it simply takes time to get all that knowledge in the video.
I promise I will get this video out to y'all as soon as I can! However, I also promise not to rush out an inferior video just to keep my numbers up in the algorithm, which hopefully is better for everyone!
This is the best educational bug bounty video on youtube!
How long have I been waiting for someone to actually test on a live application!! So educative, more of these pls!!
Great video man! This is substantial knowledge. Awesome! Other creators don't share things like this due to the fact they make more competition in bug bounty.
allot of their excuses I have heard is its not allowed to do live bug bounty tests not sure how thats true
Sharing knowledge builds a strong community, but very few have such wisdom.
That and they won’t burn recon live I’d do live recon with u if u wanted to invite me.
Yes, there is a ban on publishing the bug bounty process, but the creator's explanation is great for beginners like me. It helps to step up, when others are asked how to report a valid bug, even if it's a duplicate, person simply replies "watch youtube"
finally someone sharing how to hunt in real life rather than giving tips thanks sir
This is the best educational bug bounty video on youtube!
i love the video and how you explain everything and go down paths even tho you most likely know its wrong you test until its confirmed really helps a new guy like me learn the methodology keep up the good work!!!
You are SO awesome for lending your expertise to walk through your methodology on a live program! Thank you!!!
can't find better video like this on the youtube , Really a leader u are to beginners.. Please keep on uploading with different vulnerabilities so that our knowledge keeps increasing.😇
i love the way of how you're taking notes man and that really enlightens me.. maybe i should do the same when bug hunting and setting up pointers.. you have my full respect brother!
When person understands what he is doing, its always good to listen to him. Great video.. keep a good work
You have the Holy Grail of certs! So glad you're on our side!! 😁
I dont think i have ever left a comment on a youtube video, but i just wanted to reach out and thank you for this! the way you sit and explain the little details is just amazing. Its almost like you can hear me mumbing to myself "wtf does that mean" lmao
Definitely gained me as a subscriber!
Teşekkürler.
Finally someone explaining with real website. I was looking for this..This was very easy to follow as a beginner in bug bounty hunting.
Awesome content love these in-depth videos
Definately the most helpful videos on bug bounty answered so many questions i had about the industry now im confident i can actually find some bugs
This is so much better than course videos with super unrealistic flaws
No one beat this content ❤
thanks for the content man..that was great ❤
can't wait for further lives ❤
Please do more vids like this, on specific bug types from beginner to advanced this is gold.
Thank you so much i really learned from you, i also learned how to be patient with captcha like which is an amazing skill ngl
that was great ❤
can't wait for further lives ❤
Thank you for sharing this knowledge with us. As someone who is new to this, videos like this are golden in helping understand the how and why.
Best yt video about idor
thank you for coming with such great videos
The majority of logical flaws are inherently simple, regardless of the number of cases examined. It is essential to conduct a comprehensive testing process and analyze the website from scratch in order to accurately assess its integrity. This approach ensures transparency and truthfulness in the evaluation
Thank you for your generous sharing. There are truly no hidden aspects to this.
man you are amazing, keep up the great work.
just beginning to watch this and i can tell its going to be worth it
Thanks bro. I am just starting. These live hunting videos are really really helpful. ♥♥
You are king! Great realistic content - the best!
best explanation Bro!!! loved your methodology...
Absolutely great content ✨
Thank you very much for these awesome videos. Every time I watch your videos I'm learning a lot of things.
Love the whole video please keep teaching us
Great Content man, Can you please do a detailed video on XSS. Like how do you actually find it in the real life, how to start testing process, when do you stop testing, which req is most vulnerable like text/html . I have this doubt in my mind that i am not good at finding it.
Again great content. Please keep them coming.❤
Thanks for bringing us these videos
can't wait for 2nd part amazing man alot of thanks
Thanks for bringing us these videos, showing the methodology, it really helps a lot!
great video! thank you for the depth and explanations in this video. i think i’m finally starting to get it!
Thank you so much for sharing your knowledge!
Love your videos!
Thanks a LOT man 🎉🎉🎉 ❤❤❤
I was going to sleep it's 1:46 am then pop up came , now i can't sleep, i have to watch it cause i m obsessed with your content ❤😍
that was incredible, thanks for sharing, please keep up the good work legend.
Thank you sir. You are my best youtuber
Really Doing a great job 👍💪
Getting into IDOR's and ACV's now... nais tutorial.. cheers
Can't wait for part 2 😊
Min 1:06:29 you missed one traffic light. You are a robot. I know it!!!! :D
Good video bro. It is gold.
this video is very motivating thanks man ...
Great video. One of the best if you pay attention
a good program to hunt for IDORs
It has to have authenticated testing and you have to be able to get multiple different accounts.
taking notes is mandatory for this type of testing
19:05 first we need to identify how the application is pulling larger data sets and identifying the user.
1:03:48 left
interesting to see how others do this, thanks!
This is fantastic for beginner's
This is gold!
Another great video, thanks man i really enjoy your videos :-)
Good one this🤞🏾
Once again a great Tutorial! Thank you so much for that explanations! I'm really interested in your subdomain enumeration, maybe you could show us that in a future video :)
good Explanation 🔥🔥🔥🔥
Thanks man, good material, we don't have anything similar in Spanish
Good morning "Mas", thank you very much for the video.
I am from Indonesia feel very grateful for the video, I would like to ask,
Is there a roadmap next, for someone who has just jumped into Bug Bounty?
The first step to understanding IDOR, maybe the next you can tell.
Thank you "Mas".
Greetings from me in Central Java Island, Indonesia.
(Name is pseudonymous only)
Halo bang, ane juga dari jateng pekalongan wjwk
@@setanalaz kuliah ya?
@@blackbird436 no sir, still learning to jump into bug bounty from current job. belajar dmn lagi ya bang ada info kaga?
@@setanalaz bootcamp banyak, cuma kebanyakan make lab, jadi kurang worth it menurutku.
Belum kalau ketemu cookie seasion dan parameter id di sembunyiin bukan tulisan id.
Great explanation
Love ur content! Please go for part 2!
This is so helpful. thank you
I think you are the first person i ever see on youtube showing real life bb. many other people just waste people time with enum and stuff like that to keep the people subbing to their channel without giving real content worth watching. in a different note, since the server was not validating the signature, why you didnt make your own token?
very helpfull information, thank you mate
Great content
Hi, great video, it really help us to see how you hunt for bug. Can't wait to see your live hacking video. Could be great to have a second part and see you hunt for other vulnerability.
讲的太好了
i have faith , that u and God will help me in this journey of bug bounty
Thanks for the video =)
This is just great! Thanks for the live hacking, that's super useful for me.
Very helpful thank you from iraq❤❤
Bro pls make a course for http request smuggling I want to learn this vulnerability
Please make a video on how to do idor testing with Autorize
Thank you for the video. Extremely useful!🤗🤩 The link to join the group in Discord is not working
Amazing Video
Thank you!
wow i finally understand how guys found bug :)
thank you..very valuable knowledge. Can you record a video of the activity when doing IDOR and it is successful then upload the video to UA-cam when the vulns has been resolved?. this must be very interesting.
Which application do you use for taking notes?
Ty
at 1:01:30 keeping auth token beside we can try to change the email of current account inside jwt to see if we can get the credit card of another user? can't we do that or not? somone?
bro i am not from usa, i am from india,and i tried to access the singapore website but it shows that i dont have access so I used the vpn and changed to virginia and created 2 accounts, but the burp proxy and vpn are clashing and i am not able to intercept through burp, any advice bro ?
Go Navy beat Army
thx lord
Love the videos. Question for you. I am looking at starting bug hunting however, my laptop does not have the resources available to create VM's. Can VMs created in the cloud (AWS) bue used for bug hunting? thank you.
13:50 bro was definitely angry about the question
Hello very good video ....i just have a question how to bypass errors like the bad request that u ve got and how to when to quit digging in same mechanishm and know that there is no bug here ...thank you
Thank you!! You probably won't be able to bypass errors when you get them. The error usually means that the control is working properly. Keep in mind that IDORs are not injections, they are simply testing if the app is working how it should. You don't need to bypass anything, there is enough complexity in these applications that there always new places to test. There's no general rule to know when to stop testing, it's really about understanding the application. You need to know how the app is designed to function, then you try to make it break those rules.
Subscribed!!!!
nice video, keep doing
really helpfull
When will you upload part 2?
Wouldnt it be possible to swap the payload and see at what point the change occurs? Or maybe not payload, token, idk im very new to all this.
I mean are they valid if you just swap them or does it know that the token belongs to a different session or something?
Bro I was literally just researching this
❤❤
Starting now
This mfer is a fucking legend