The satisfaction when I was so confused thinking this was exactly like IDOR but the second after you explained that it pretty much is excepts BOLA is API-related :D Phew
thanks sir , i'd suggest to continue with web app exploitation even meduim and low risk vulns xss xst csrf ... things may help us in bug bounty hunting
Hi, Great Video, thanks !! My request is, can you make a video explaining regarding encryption, algorithms, Jack the ripper tool for different hash formats, how to identify the hashes or so !
I try to explain a similar problem (let's call it Code-BOLA or CBOLA) to my colleagues, but to an even deeper level: programmatic, or object-design level. It's about proper object abstraction and encapsulation, which is a very debated topic in Object-Oriented Programming. So for example, say you have endpoint GET /users/{userId}. What you talk about is the end-user (or the runtime, if you will) Authentication/Authorization, but also, we should do it at coding-time, so to speak. Your object structure/composition/hierarchy, your very code, should be designed in such a way that not even you, the programmer, should be able to get the wrong User object and return it from your endpoint. This idea of mine, of course, goes against many mainstream things that people do in OOP. As long as everything is a public service, injectable by your DI Container everywhere and anywhere, you cannot achieve this level of proper abstraction and encapsulation. So, if you, the programmer, can instantiate the User class with any ID, or can simply inject a UserService and call findById with any ID, you already have what I would call a BOLA at code-design level. Of course, as a programmer, you can change the code in any way you want, but the point is, you should have an architecture in place, to guide your code. It should be obvious for you, the programmer, that changing a lot of code just to get a User is NOT the way to go and you're doing something wrong if you really have to start changing stuff around. Did you ever explore such ideas, what do you think about it?
Great Présentation, Thank you! i love the format, is it possible to have more content on how to use burp, like from Zero to Hero,,, i just use it at 25% and i know there is alot you can do with burp! thanks again!
TCM just keeps getting better and better!! Love the content! Keep it coming!!
These videos are gold
The satisfaction when I was so confused thinking this was exactly like IDOR but the second after you explained that it pretty much is excepts BOLA is API-related :D
Phew
Thank you for this quick explanation video!
thanks sir , i'd suggest to continue with web app exploitation even meduim and low risk vulns xss xst csrf ... things may help us in bug bounty hunting
Hello sir, great video!
It would be lovely if you could make a video about XXE vulnerability.
Thanks
Hi, Great Video, thanks !!
My request is, can you make a video explaining regarding encryption, algorithms, Jack the ripper tool for different hash formats, how to identify the hashes or so !
Interesting stuff, thanks for the content.
hello tcm!
TOP , we in Belgium like you guys
please make a video on how to setup postman with certificates to test on websites not on labs
I try to explain a similar problem (let's call it Code-BOLA or CBOLA) to my colleagues, but to an even deeper level: programmatic, or object-design level. It's about proper object abstraction and encapsulation, which is a very debated topic in Object-Oriented Programming.
So for example, say you have endpoint GET /users/{userId}.
What you talk about is the end-user (or the runtime, if you will) Authentication/Authorization, but also, we should do it at coding-time, so to speak. Your object structure/composition/hierarchy, your very code, should be designed in such a way that not even you, the programmer, should be able to get the wrong User object and return it from your endpoint.
This idea of mine, of course, goes against many mainstream things that people do in OOP. As long as everything is a public service, injectable by your DI Container everywhere and anywhere, you cannot achieve this level of proper abstraction and encapsulation.
So, if you, the programmer, can instantiate the User class with any ID, or can simply inject a UserService and call findById with any ID, you already have what I would call a BOLA at code-design level.
Of course, as a programmer, you can change the code in any way you want, but the point is, you should have an architecture in place, to guide your code. It should be obvious for you, the programmer, that changing a lot of code just to get a User is NOT the way to go and you're doing something wrong if you really have to start changing stuff around.
Did you ever explore such ideas, what do you think about it?
Interesting, but then how would you do it?
I am new to all of this. So, i am really enjoying the new videos. Is any newbie type of series comming???
Hey can you please do a demo on mobile pentesting ... especially the once done in flatter.
Hey!!! DEFCON 31 will be lit🔥🔥
Great Présentation, Thank you! i love the format, is it possible to have more content on how to use burp, like from Zero to Hero,,, i just use it at 25% and i know there is alot you can do with burp! thanks again!
Please create a show that bypass waf 402
your chair looks too comfortable, what brand is that?
Can we get some stuff about cors exploit and why it happens , why we don't report as google also uses wildcard. Also we need to know about CSRF
Volume is leveled too low despite that huge microphone
Good
Yeah it's Idor
Main bola dlu gk sih 😅☝