How to search for IDORs!
Вставка
- Опубліковано 31 тра 2024
- 👩🎓👨🎓 Learn how you search for IDOR (Insecure Direct Object Reference) vulnerabilities. In this video, we are going to see an example of what to look out for.
Overview:
00:00 Intro
00:15 Lab overview
01:06 Exploring the vulnerable functionality
02:08 Direct Object Reference
02:39 Exploiting the app
03:24 Solving the lab
03:50 Conclusion
For more information, check out blog.intigriti.com/hackademy/...
🔗 Portswigger IDOR Challenge: portswigger.net/web-security/...
---
🧑💻 Sign up and start hacking right now - go.intigriti.com/register
👾 Join our Discord - go.intigriti.com/discord
🎙️ This show is hosted by / pascalsec (@Hacksplained ) & / intigriti
👕 Do you want some Intigriti Swag? Check out swag.intigriti.com/
谢谢你,讲解的非常有趣,简洁易懂,不失风趣
Whoops, we only know English!
Nice video, keep it up 👍
Thanks for the visit 🔥 Share the love!
Thanks a lot for this :)
You're welcome!
thanks for the content \o/
Our pleasure! 😇
hello. i learn the iodor concept but I didn't know what to do next and where I do actually.. i solved the lab
i need your help thank you
Hi there! I'm not too sure what you're asking for help with? Did you already solve the lab or you're stuck at part of it? 😕
@@intigriti yes I did... Solved it and I understand the concept but I didn't know how I do in real website?? How I'll find bug in real one .. like how to choose website in hacker one or other
If you want to see how to find IDORs real websites, best to go and look at reports demonstrating how other hackers have found IDORs 😉 Check this out: medium.com/@nynan/what-i-learnt-from-reading-220-idor-bug-reports-6efbea44db7
Maybe I missed it...how did you get the user name for the password?
It's given in the lab's description!
Had me stuck for a while as well until I figured it out, just gotta read the docs.
">
Well, that's a different vulnerability class 😅
@@intigriti 😂 I like xss so much
How to find IDOR Vulnerability in Long Number Ids & Random Unique Ids
Those are generally secure to be used by a company. The only thing that could happen is that those non-enumerable IDs are leaked somewhere else on the website. Then, you can try to use them and find an IDOR vuln.
@@intigriti OK , Thanks ❤
How did you figure out that the username is Carlos?
The challenge description: "Solve the lab by finding the password for the user carlos, and logging into their account."
@@intigriti I missed the part of the challenge question. Thank you for clearing that out. :)
希望以后能看到更多关于你的视频
Whoops, we only know English!
👍😎
👍😎
What if you get the prompt.."username does not match.."
Then you have not found the right username password combination. The video should give you a pretty good idea though how you can find it!
In this example, hypothetical...as you used 'carlos' and the pword from 1.txt....yeah...but no username indicated.
First!!
🏎 vrooom