Bug bounty tips for broken access control on BurpSuite Part 1: Using match replace and Authmatrix
Рет қаралды 22,502
Күн бұрынIn this tutorial, you will learn how I test for broken access control and achieve privilege escalation on web applications. I go from a manual to semi-automated approaches.All the testing approaches are free and accessible to everyone, not just Burp Pro users.
📙 Become a successful bug bounty hunter: thehackerish.com/a-bug-bounty...
🆓 Download your FREE Web hacking LAB and starting hacking NOW: thehackerish.com/owasp-top-10...
🌐 Read more on the blog: thehackerish.com
💪🏻 Support this work: thehackerish.com/how-to-support
- Facebook Page: / thehackerish
- Follow us on Twitter: / thehackerish
- Listen on Anchor: anchor.fm/thehackerish
- Listen on Spotify: open.spotify.com/show/4Ht8jEb...
- Listen on Google Podcasts: podcasts.google.com/?feed=aHR...
Soundtrack:
Daily Beetle by Kevin MacLeod is licensed under a Creative Commons Attribution license (creativecommons.org/licenses/... incompetech.com/music/royalty-... incompetech.com/
Thumbnail:
Photo by Chris Barbalis on Unsplash
@revolution1433 3 жыл бұрын
Your tutorials are great, please keep posting! I barely comment on youtube, but you deserve the encouragement.
@thehackerish 3 жыл бұрын
Oh! Thanks a lot! I am humbled
@R4z0r_arg 2 жыл бұрын
Amazing tutorial mate! Thanks! :)
@dohnjoe4907 3 жыл бұрын
The videos are great!
@thehackerish 3 жыл бұрын
Glad you like it!
@novosecurity6823 4 жыл бұрын
Good videos 😊 keep posting and share your knowledge
@thehackerish 4 жыл бұрын
Thanks!
@ReligionAndMaterialismDebunked Жыл бұрын
Thanks a bunch for the sessions plugin recommendation! :3
@rrashi4484 3 жыл бұрын
Dude! more videos please....
@rohitgupta-es4fd 3 жыл бұрын
awsome vedio
@msalih 3 жыл бұрын
awesome
@thesmartguy3523 3 жыл бұрын
Good tutorial dude 😁 Just a hint for other curious souls - if you are willing to inspect what the JWT token contains, you can visit JWT.io and paste your token and you're good to go.
@thehackerish 3 жыл бұрын
Yeah, or use JWT Web Tokens from BurpSuite
@ReligionAndMaterialismDebunked Жыл бұрын
@@thehackerish true.
@mdatikqurrahman8376 3 жыл бұрын
awsome. a lot of new information. I appreciate your efforts
@thehackerish 3 жыл бұрын
Enjoy!
@ajaykumark107 4 жыл бұрын
I think renaming this video as Using Autorize and Autorepeater would fetch you more views
@thehackerish 4 жыл бұрын
Good idea! I will add them
@nogoodhacker6944 3 жыл бұрын
I've gotta doubt.. I actually used auth bearer and succeeded but couldn't report it since it is out of scope... my doubt is , can i just report if this is actually possible?? wouldn't they ask, "could you explain how you get the auth bearer in the first place"? or would they just reward me?? The video is super-awesome and i realized that i found a bug finally! BTW can you please clear my doubt if you/someone sees this comment?? Thank you very much for sharing your knowledge
@thehackerish 3 жыл бұрын
The exploit is not against the Bearer token. The vulnerability is the IDOR where the ID is not checked. Using the JWT token is just a way to automate the discovery of IDORs using two users, hence two JWTs. If you can replay the same request against a resource which doesn't belong to the user, then it is worth reporting. Otherwise, it is not a vulnerability. I hope this helps.
@nogoodhacker6944 3 жыл бұрын
@@thehackerish yeah, but I was able to replace auth bearer, ❤️
@shivangraina9698 3 жыл бұрын
Does the bug has high impact if a refresh token is used? Also how to prevent it if ur access token gets stolen?
@thehackerish 3 жыл бұрын
If you can steal the JWT token, you can also do the same for the refresh token since they are typically stored in the web browser. To prevent that, you need to make sure you don't have XSS, implement CSP for an added security and implement proof-of-posession, which is documented in the JWT standard.
@shivangraina9698 3 жыл бұрын
@@thehackerish thankyou so much for the video. Great content.
@thaihungnguyen6738 2 жыл бұрын
Can someone recommend another extension for Firefox, please?
@navinvenkatesan9784 4 жыл бұрын
Can you put a videos on all best extender and this video until authmatrix is good and after that little bit confusing and please try to explain that on other video
@thehackerish 4 жыл бұрын
Sorry for the confusion. Tell me what you didn't understand exactly to see what I can do.
@navinvenkatesan9784 4 жыл бұрын
@@thehackerish authmatrix itself confusing and the color showing red and green and if you shortly that enough please explain more And please post videos of other best extenders
@rajupaswan5111 Жыл бұрын
How can i find bug or hack banking sites, can you explain with your video
@thehackerish 11 ай бұрын
Check the pentesting playlist out, tons of videos on just that
@dishant_singh4556 Жыл бұрын
If i am able to use victim's jwt in my account and able to change any info so it will be eligible or not
@thehackerish Жыл бұрын
Nope, the video explains how to find broken access control using two test accounts. If you can use jwt1 to access/edit/delete resources of user2, then it's an issue.
@dishant_singh4556 Жыл бұрын
@@thehackerish like i am copying the jwt of account A and then using this Jwt of account A in Account B. And session of Account A is destroyed after loging into Account B but Somehow I am still able to see User A PII info and able to change its profile picture, so can I report it ?
@thehackerish Жыл бұрын
@@dishant_singh4556 JWT have an expiration time. Generally, when you logout it will still work for some time unless the dev has blacklisted the jwt upon logout. If you report it, you risk getting informative or a low, but read the policy for any mention of session logout being out of scope.
@msalih Жыл бұрын
1- send the original requests to authmatrix 2- set the attacker auth headers and cookies to authmatrix (add user and send cookie ) 3- RUN
@SankizTime 3 жыл бұрын
How to get AUTH header?
@thehackerish 3 жыл бұрын
From your test accounts. The objective here is to probe for IDORs, not getting AUTH headers.
@sohailbzioui8323 4 жыл бұрын
what the impact of broken access control
@thehackerish 4 жыл бұрын
It depends on the vulnerable request. Examples: access or update profile data of other users, access admin features, etc.
@authenticworld7271 3 жыл бұрын
I want to learn bug bounty... Can you help me... please 🙏🙏
@thehackerish 3 жыл бұрын
Yes, read as much as you can and never stop hacking!
@SimplyHackss 4 жыл бұрын
first !
@josephrajareddy4606 4 жыл бұрын
Second
@thehackerish 4 жыл бұрын
third
@sail6114 4 жыл бұрын
Zero😂
@ZZ-vz9in 3 жыл бұрын
How do hackers hack a web application and encrypt all devices connected to that application? Like what happened with the "FireEye" company ,do u know something about this tutorial? I am very interested to know how this kind of cyber attack happens، And thank you for helpfully videos
@thehackerish 3 жыл бұрын
Threat intelligence reports are a great source of knowledge for you. I suggest you read some...from FireEye itself :)
@ZZ-vz9in 3 жыл бұрын
Yes, this is true, but there is no detail that I need, I tried to analyze the reports, but I did not get the required knowledge, please, teacher, post a set of lessons on how to do this and thank you again, I look forward to seeing something similar in your channel
@amanSingh-bl3um Жыл бұрын
But the question is how will i get victim token.
@thehackerish Жыл бұрын
That's the wrong question. You use this technique to test broken access control between two test accounts
@angeldavatos9800 3 жыл бұрын
Ahm hello just wanna ask something cause its so complex. If i can set victim user account to private/public by changing my authorization header into the victim. Is this a valid bug? Cause i dont understand how to show the impact cause wht if they ask me how did i get the auth header value?
@thehackerish 3 жыл бұрын
I don't think this is a bug unless you can choose the account by an ID. Generally, the feature you mention would need only the JWT to process the request.
@angeldavatos9800 3 жыл бұрын
@@thehackerish but why here you just change the auth header value? Can you explain to me whats the diffirence thanks
@thehackerish 3 жыл бұрын
@@angeldavatos9800 Sure, here I am using the JWT swapping technique to test if I can control the victim's basket, which is referenced by ID.
@asterfiester 3 жыл бұрын
The main problem is.. When we submit this kind of vulnerability.. They will ask one question.. How the jwt token obtained..😂😂 Lol😂
@thehackerish 3 жыл бұрын
It is not about the JWT, but the identifier that suffers from IDOR
@0xbitbybit Жыл бұрын
@@thehackerish What identifier are you referring to? Isn't any identifier irrelevant if there's no way for an attacker to get the JWT in the first place, the identifier can have all the IDORs it likes if it's not possible for anyone to get the victims JWT. What am I missing here?
@thehackerish Жыл бұрын
@@0xbitbybit the point is not the JWT, it's the data accessible by userA that belong to userB. Both JWTs are linked to test accounts to help broken access control testing
thehackerish
Рет қаралды 10 М.
thehackerish
Рет қаралды 27 М.
Super Italiano
Рет қаралды 4,5 МЛН
Immersed
Рет қаралды 96 МЛН
BePractical
Рет қаралды 8 М.
STÖK
Рет қаралды 189 М.
thehackerish
Рет қаралды 240 М.
NahamSec
Рет қаралды 155 М.