Thank you so much for making these videos. I recently finished reading a few books on web app security and these videos are helping me ease my way into bug bounty.
Hi Martin, thank you so much for these videos. They help me a lot more than the usual ones because you explain them so simply! Is there any way i could get in contact with you?
No, what you are referring to is CORS (cross site origin resource sharing). That would allow you to losen the Same Origin Policy for cross site interaction. In this case here, authorization checks need to be implemented so that it's verified that the asset belongs to the authenticated user.
![Lp. Сердце Вселенной #60 РОЖДЕНИЕ ЛОЛОЛОШКИ [Финал] • Майнкрафт](http://i.ytimg.com/vi/YoR0pAV9FVQ/mqdefault.jpg)
Thank you so much for making these videos. I recently finished reading a few books on web app security and these videos are helping me ease my way into bug bounty.
Glad you like them!
Need a Job doing Research on this
Hi Martin, thank you so much for these videos. They help me a lot more than the usual ones because you explain them so simply! Is there any way i could get in contact with you?
you can use the contact form on martinvoelk.com Don't wanna post contact email here.
I have question?
How attacker find victim cookies? Which u use this video.
Administration how can find Normal user cookies? Can u clear me please?
XSS when the cookies are not httpOnly protected for example
Informative one ❤
Glad you liked it
Can it be implementing to sensitive data exposure?
Yes. Broken access control is the vulnerability class and sensitive information disclosure is often the result.
How can we avoid this issue? Can be implementing Access-Control-Origin headers?
No, what you are referring to is CORS (cross site origin resource sharing). That would allow you to losen the Same Origin Policy for cross site interaction. In this case here, authorization checks need to be implemented so that it's verified that the asset belongs to the authenticated user.
@@martinvoelk so the way to fix it is comproving if user is logged in?
And... Maybe if has the needed permissions to update the record or something like that?
thnk youf ro mqking video
No problem