Channel | Publish Date | Thumbnail & View Count | Download Video |
---|---|---|---|
Publish Date not found | 0 Views |
In this video we talk about IDORs (Insecure Direct Object Reference), a fancy term for "the application did not properly authenticate an endpoint." These are great first bugs that require no technical knowledge and are easy to find with Burp.
0:00 – Theory: What is an IDOR and how do you find it?
8:21 – Case Studies: 7 Examples of IDORs That Paid Off
27:28 – Practical Burp: A look at the Hacker101 CTF level /"postbook/"
— Case Studies —
– Responder program can create bounty table – $500: https://hackerone.com/reports/460920
– [IDOR] Deleting other people's tasks – $300: https://hackerone.com/reports/293845
– IDOR bug to show hidden slowvotes of all users even if you don't have access rights – $300: https://hackerone.com/reports/661978
– Bypassing my three other reports #267636 + #255894 + #271861 – (IDOR) Ability to view full name associated with other New Relic accounts – $1,500: https://hackerone.com/reports/320173 and https://www.jonbottarini.com/2018/01/02/abusing-internal-api-to-achieve-idor-in-new-relic/
– Replacing other user files in inbox messages – $1,000: https://hackerone.com/reports/322661
– Low-privileged user can add new geographic settings to the administrator account. – $750: https://hackerone.com/reports/420130
– Validation message in bounty award endpoint can be used to determine program balance – $1,500: https://hackerone.com/reports/293299
– IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users – $10,500: https://hackerone.com/reports/415081
— You should also see this —
Burp Suite Tutorial: IDOR Vulnerability Automation with Autorize and AutoRepeater (Bug Bounty) – STÖK – https://www.youtube.com/watch?v=3K1-a7dnA60
— Social Media —
– Twitter: https://twitter.com/InsiderPhD
Please take the opportunity to connect with your friends and family and share this video with them if you find it useful.