Finding Your First Bug: Manual IDOR Hunting
Вставка
- Опубліковано 8 чер 2024
- Hi everyone, welcome to the third video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.
In this video, we'll be talking about IDORs (Insecure Direct Object Reference), which is a fancy term for 'the application didn't authenticate an endpoint correctly'. These are great first bugs, they don't require any technical knowledge and you can just use burp to find them.
0:00 - Theory: what is an IDOR and how to find them
8:21 - Case studies: 7 examples of IDORs which have paid out
27:28 - Practical Burp: Looking at the Hacker101 CTF level "postbook"
-- Case Studies --
- Response program can create bounty table - $500: hackerone.com/reports/460920
- [IDOR] Deleting other people's tasks - $300: hackerone.com/reports/293845
- IDOR bug to See hidden slowvote of any user even when you dont have access right - $300: hackerone.com/reports/661978
- Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts - $1,500: hackerone.com/reports/320173 and www.jonbottarini.com/2018/01/...
- Replace other user files in Inbox messages - $1,000: hackerone.com/reports/322661
- Low Privileged user able to add new Geographical settings to the Admin account. - $750: hackerone.com/reports/420130
- Validation message in Bounty award endpoint can be used to determine program balances - $1,500: hackerone.com/reports/293299
- IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users - $10,500: hackerone.com/reports/415081
-- You Should Also Watch --
Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty) - STÖK - • Burp Suite tutorial: I...
-- Social Media --
- Twitter: / insiderphd
The best and most honest bug bounty hunter in the sec community, you have no idea about the help that you are doing to others .... thanks alot
"populate burp with admin endpoints then hit them all as a user..." a golden nugget for me, thanks!
your videos actually explain hacking the the purest and most direct way! I am learning soo much! I plan to literally memorise all your videos!
Thank You so much i heard about IDOR somewhere but didn't understand that time. By watching your video it is so much clear to me now. Thank you so much
idor = Insecure Direct Object Reference which tells you fucking nothing .
your voice is amazing im loving it and you are doing great. thank you for this.
you explain things so well and are verry thoughtfull of what its like to be a beginer , thank you
Thank you very much, for the explanation, keep up the good work!
You're amazing. Thanks for contributing to the community, I hope to be able to do the same one day :)
Please do! It's all I ask of my viewers who enjoy my content to please contribute back to the community, by sharing resources, talking to other newbie hackers, to write up interesting things they've found or even re-explain a resource for humans, there's a lot someone can contribute even if they haven't found their first bug yet.
Very nicely explained. Thank you.
amazing video for bug hunters thankyou so much
Great explanation Katie! Thanks!
I am going to watch every single video on your channel
Nice explanation, really appreciate it. Thanks again
Me when submitting a report: write everything carefully, double check, accept my report please.
The guy in 13:03 : Fix this!
Why u deleted your h1 account ??
@@cyberpirate007 no i am still here, hackerone.com/trieulieuf9?type=user
Really good proctical demo tbh even if it's a ctf I do find it very instructfull
Very helpful. Keep making videos, please.
Super useful video, thanks
I really was confused about this IDOR term , but after watching this video it really help me a lot and it satisfy my points .. thanks again 🙏🏻
You are the first and best 🖤💯
Your video very easy to understand can you upload more video 😁😁
Thank you for the great content, I am a beginner and would like to know how to create a working PoC to demonstrate how would an attacker use the idor vulnerability to attack? Thank you
Thank you for your work
Ohhh mike 069 * _ *
Thank you for the video
I'm noobie and this video is amazing for people like me, thanks!
Very useful!! Thankss
Great video
really nice video im 15 and trying to learn bbh especially idors nice video
You're the best!
This is good.. thanks
This is one of the finest videos I saw on this matter. I have a question, do you think that when pentesting android apps through Google Play program is it valid for bounty to find IDORs in the endpoints that android app uses (not in the android code itself)?
This is debatable, some programs will count that as the android app and some as the API. If the android app is in scope without excluding the API I would say that it is valid. I think it's a great easy way to get into android pentesting though! You can definitely find some low hanging fruit bugs!
Hello! Thank you so much for so many great videos. I especially like how all of them are geared towards becoming a real professional in the field. I do have a question, though: I've heard on your videos (and many others, like Stok's) that you mention using privileged (and unprivileged) accounts, alongside being signed out. I was wondering how do usually bug hunters get a privileged account, seeing as you usually can't just create one (you can usually create just an unprivileged user account). Does that mean only on programs that support that or is there usually a possibility to contact them and get a test high privilege account? Thanks!
Yeah you’re correct, when we say that we’re talking about applications with permission levels that we can access, so on an app like Wordpress we have access to admin, user, guest by creating our own blogs but for something like email we only have access to a user, so that’s all we can test.
You are amazing your videos are really helping me. Just one question what do you mean by find endpoint.
Thank you.
An endpoint is just a URL which does something on a web app, like if you have mywebsite.com/users/changeProfilePicture which changes the profile picture, that's an endpoint. When I say find them I mean do things on the application to fill up Burp with lots of URLs until you find something with an ID!
@@InsiderPhD Thank you for the reply
Any tool to easily guess this different id parameter variables ?
thank you soo much i found my fist bug
OMG you're the best, can you please make owasp top 10 hunting.
Soooooon(tm)
you are great
ohhh thank you so
If you (Burp actually) finds "password in the URL" of GET is that a type of IDOR and how do I proceed?
Need that doc
I became WAY more interested once she started cussing. My attention was fading...and the keywords popped me right back in!
LMAO! I'll have to start swearing more!
@@InsiderPhD On a serious note I have watched most of your videos at this point! Really good content, likes and subs from me!
I have been looking for IDOR for days now but couldn't find at least one very low... Any idea what i'm doing wroong?
With IDORS, the entry point for IDORS can be used for other injection attacks. if an IDOR was a UID0=, and the UID was queuing the users db, then can you launch other injection attacks, like SQL injection or stoed XSS?
Yup, absolutely, this is actually something in the OWASP top 10, as often they aren't sanitised properly :)
I've been bug hunting for like a month now, I've been looking for IDORs, CSRFs, XSS, HTML injection, Open Redirects. I can't find any websites (domains and subdomains) on H1 or Bugcrowd vulnerable to these vulnerabilities. I admit though for XSS I only know the basics and how to use a payload list on burpsuite. But still I can't find anything, Any tips? Should I focus on the more advanced ones like RCE and SQL injection?
I think you just need to keep at it, I know it’s frustrating but they are there. Maybe look into a less crowded space like mobile? Might be worth a shot. Ignore SQL injection and RCEs, you won’t find one, they are for people with years of security experience.
My top pieces of advice:
1) make sure you check everything, like even endpoints which may not be particularly useful
2) focus on bugs which can generate impact and be constantly on the lookout for them
3) Cast a wide net, and keep trying if you find public programs too difficult get invites to private programs via stuff like the hacker101 ctf
4) Find a niche, maybe learn mobile stuff, maybe go deep into learning a ton about APIs
5) keep trying! Bug hunting is harder than it looks but you will get there if you try
@@InsiderPhD Thank you so much, and thanks for your videos
It takes time to find your first one! It gets easier tho, the best thing you can do is keep trying.
You are fucking amazing! sending all positive vibrations your way :)
maybe other people will be a successful bug hunter in the future after watching the video. If it was me, after I got my first $10k from bounty, im gonna donated back to many education UA-camr who put free stuff like this. If you don't feel okay from taking patreon money, maybe put link to a charity organization that you like.
Thanks for doing this! Looking forward for more videos!
I only ask that people pay it forward, write about a bug you find, get involved in the community, help purchase learning mateirals for others, mentor someone, give out some tips on twitter. I'm far more interested in people helping others to learn and join this community than money!
you are amazing. great content. how can i contact with you?
Very good content, i am glad to find such content. THANKSS!! Mam.
One thing, why are u exhaling so heavily sometimes. Is it the excitement of capturing the flag or some other issue.
Haha I'm just asthmatic and a big nervous when I make videos!
hello Katie. Is Intigrity limited to European hackers only?
Nope! It’s just they focus on European hackers! You can hack on any platform from anywhere :)
@@InsiderPhD thank you so much. by the way, i'm currently on Intigrity and trying to find an Info Disclosure whilst watching your tips and tricks on how to do so. Good luck to me!
The word should be Authorization rather than authentication for IDORs.
Other than that, nice video.
Thank you for the correction!
Can anyone explain to me easily what she means when she's talking about endpoints? Thanks. 7:41
Endpoint just means a webpage you can send stuff too. So what I’m saying is if you see something in burp like: /pages/admin/createPost you should replace the cookies of an admin user with lower permission users eg a guest user, I hope this helps!
@@InsiderPhD So you mean when we are in some sort of admin endpoint, replacing the admin's cookies with a lower permission user's cookies(for example, session id) is an example of IDOR?
what are Endpoints? i'm really confuse
'Endpoints' are the final URL that you access
So www.mywebsite.com/folder/ wouldn't be an endpoint but www.mywebsite.com/folder/file.php would be
@@InsiderPhD ohhh thanks alot...i was expecting it..you are my mentor in Bug bounty...thanks alot...
@@InsiderPhD Thank you for your explanation. As a newbie, I didn't know the meaning of Endpoint before found out this common.
why everything is distorted at1080p
Older video and I wasn’t great at video editing! Should I remake it? 🤔
@@InsiderPhD it's OK
I cant stop laughing, LMAO
COOKIES
If i just replace the cookies and get 200 ok
Then get access to the account , it will consider an idor
Please help!
I recently reported one like that
It will be my first bug !!