Don't test for IDOR's manually, Autorize is so much faster!
Вставка
- Опубліковано 25 чер 2024
- 00:00 - Intro
00:40 - Configuring Burp Autorize
01:05 - How Autorize works
01:41 - Autorize filter configuration
02:11 - IDOR testing with Autorize
02:50 - Explaination of Autorize output
03:25 - Example of valid IDOR
03:55 - More about filtering output
04:26 - Another level of security
05:00 - Broken access control
06:09 - Outro
ferretshop.herokuapp.com/
Thank you so much Mister Mikro for adding all the cards and table of contents.
Buy me a coffee
www.buymeacoffee.com/thexssrat
Patreon:
/ thexssrat
Instagram:
thexssrat
Follow me on twitter to be notified when i release a new video:
/ ferret_amazing
Come join our discord :D i hang out there often!
/ discord - Навчання та стиль
This was the best, dude. Loved it. Gonna try it tonight🔥
Thank you so much man 😍🔥
Thank you for your clear explanation! from configuring to explaining output! keep up the good work!
amazing, this could be probably one of the biggest information that i have ever been given ...we need such playlist more and more in upcoming days.i hope i made you understand the things that i wanted to make you understand..the way how you explain is an amazing. again we need such playlist more and more in upcoming days..
Love the reboot! The bookmarks are a great touch, I am looking forward to your next video!! Thank you
Thank you bro 😍😊🔥 and thank you mikro for the bookmarks 😍🔥
Thank you bro. I really needed this one, been in love with IDOR lately
Thank you bro 😊🔥 recently found a way to chain IDORs
i was waiting for this one to come thanks bro
Thank you so much bro 😊 i dident even want to release this one since I already did so much on authorize
thank you so much !!! . great video
Thank you friend!!
this is what i need, i love you 🤑🔥
Uncle Rat is Amazing and Insane !! He Stared Bugbounty in January 2020 and He's now Intigriti's Top 40. It's Insane !!! Always
Respect bro 😍😍😍 you’ve been here for so long
Thank you RAT . you are the only RAT which I like 😍
This rat will mess up your hard drive before you know it :3
thank you amazing hacker
Lit asf 🔥🔥🔥🔥🔥🔥
Thank you amazing hacker ☺️☺️😍
dudeeeeeeeeee you're goooooooood
You are awesome.
Thank you so much amazing hacker 😍🔥
Really thanks very useful and amazing video
I'm very late ;)
Haha x)
Sorry if I could not understood, but so actually when while you using Autorize in Burp and you see that: "(1) Original Request (2) Original Response and (3) Unauthorized Request", those three are equals, you could found an IDOR? Thanks if someone solve my doubt.
Awesome video!
Awesome. Ths a lot.
My pleasure friend 😍❤️
Why did you remove the "scope items only" and add it again, I mean the one which is added by default, is it different than the filter you added afterwards?
So I could add it again haha 😅 was testing stuff before I recorded and I accidentally left it in there
@@TheXSSrat haha okay
Hey man, what's up? Nice vid again 🔥😁
Unfortunately Burp Pro is out of my budget atm. Do you know of any alternatives to Authorize?
I've just read a bit about mitmproxy. Sounds nice to me because you can script arbitrary stuff in Python 😍😜 Have to install and try ZAP as well.
Thankfully that cleared itself out in the chat today 😍
@@TheXSSrat Yes, clarified very nicely 🙂 I think I'll be back soon in the chat, because I might have to recommend to you another metal album 😁
@@TheXSSrat Wow ok, sorry but I must recommend it to you right now lol. Because it just has striked me hard listening to it again after such a long time:
ua-cam.com/play/OLAK5uy_kL37tCTrxU8zdYN36W9oBACNQ4rkW09_E.html
Sorry if I'm recommending something which might be obvious for you, as said, metal is a genre which I really haven't touched much. But THIS is really good music 👍 Must be a classic of the genre for sure.
Make sure to check out the video, too, super funny 😁
ua-cam.com/video/aOnKCcjP8Qs/v-deo.html
How to find exact idor, some cases is flase positive in Authorize. Any tips.
IDOR has a few criteria 😊 first of all ofcourse we need an ID somewhere in the request. Second of all IDORs only work on resources you are not supposed to be able to see
good
Couldn't the `/rest/user/authentication-details/` endpoint (at the end of the video) be a false positive because you are signed in as admin and hence getting "Bypassed!" as the original request (Authenticated request) is by the admin?
Great video🤩 but am facing this below issue.
I fed Autorize with the cookies of a low privileged user, switched Autorize on and started browsing as an admin just as shown in this video. But Autorize doesn't capture or replay any of the admin requests. Could you please help ?
Put in ONLY the headers for authorization like cookies and not all of them 🤗 sometimes a header can duck up authorize
@@TheXSSrat thanks for the prompt response 😍 i too tried with the same owasp juice shop app so I copied the same cookies and Authorization headers just like you did, still faced the issue. Thanks in advance 🙌🏻
What is name of burp suite extension
Authorize
2k sub will happen soon :)
Omg yes 😍😍😍😍🔥 thank you for noticing
Coop
Soon bro 😍🔥 join discord
I've been using Autorize for a while and in many cases it shows bypass and it is always false positives. And when site is protected - it is really enforced to use someone else's cookies. Using Auth bearer and Cookie from another user in many cases just duplicates actions on both users accounts. App must be really not thought well for this to work - like in juice-shop.
First of all, I agree that for some projects authorize is impossible but I don’t really agree with the fact that it’s useless. I’ve used authorize for many projects including a tough one. I will admit you need to set it up just right and that might take a lot of fiddling but it’s 100% better than nothing 😊 maybe I can help you? Feel free to join our discord