Finding Your First Bug: Getting Started on a Target (Part 2)

Рет қаралды 15,646

4 жыл бұрын

Hi everyone, welcome to this video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.
In this video, we follow me as I perform the first steps in dealing with a target. First I investigate potential targets, then I choose one and do basic recon and initial poking. This is more my thoughts as I hack and a less structured video. I hope you enjoy it!

Пікірлер: 43

@skysunset877 2 ай бұрын

OMG this is SUPER usefu❤❤❤❤ I was desperate for a manual recon method, and I was bored with automatic recon. Thank you so much for sharing a great way!💪💪

@PathologicallySane 4 жыл бұрын

Thank you 3000! This series is awesome and then some. Keep it up.

@Shogunxd3-vp9jv 4 жыл бұрын

Thank you thank you! These are beyond amazing for a first timer like myself.

@simone8504 4 жыл бұрын

Thank you for sharing the whole process of starting and looking for a target on a real website! I was a bit confused and this helped me👍

@InsiderPhD 4 жыл бұрын

Glad it was helpful! I know it can be really intimidating to get started when you don't know what to look for!

@shubhamtripathi9902 2 жыл бұрын

Exactly I'm soooo happy for this

@Raj_darker 4 жыл бұрын

Thanks a Lot for 2nd part :) Keep Posting about Other Bug videos!!

@pentestical 4 жыл бұрын

Thanks for this! It helps me really out🍀

@fabiosanchez9595 4 жыл бұрын

Thanks for the video, I think I can start reviewing programs to get to know burp suite. I do not know if it happens to others, but the volume of the video is very low and although with headphones I do not listen well.

@EdwardAmarh-01 4 жыл бұрын

Thanks @InsiderPhD for this video, really easy to follow

@StefanRows 4 жыл бұрын

Thanks Katie :)

@rainsharpay4090 4 жыл бұрын

this is what i am looking for,cool !

@logmantarig 3 жыл бұрын

Thank you so much that was super useful

@littlenikki1105 4 жыл бұрын

Hey just wanted to say thank you for making your videos so helpful do you stream?

@InsiderPhD 4 жыл бұрын

No I don’t know if I could stream anything interesting enough to watch! Thank you for you kind comment

@LokeshKumar-tk7ri 2 жыл бұрын

Thank you so much ma'am

@danielhemmati 4 жыл бұрын

thanks🙏

@tommysuriel 4 жыл бұрын

Thank you so much for this video. So, just to be clear about your process for finding IDORS. 1) You use the app/site and watch all the requests on burpsuit looking for apis that have Ids. 2) Once you find the ones you think might be vulnerable, you go back to the website, intercept with burp, and start submitting requests related to those apis and changing IDs until something works. Is this correct?

@InsiderPhD 4 жыл бұрын

Yup, you need a little patience but you can automate some of process, I highly recommend a video by STÖK on the topic with Fisher

@tommysuriel 4 жыл бұрын

@@InsiderPhD Thank you. I'll keep trying :). I'll check that video too

@InsiderPhD 4 жыл бұрын

As a bonus tip: try to focus on newer features of established apps OR older apps. They tend to be more common when code doesn’t have great quality control. If you organise your endpoints into a spreadsheet to check each other systematically

@tommysuriel 4 жыл бұрын

@@InsiderPhDThank you so much :). Really appreciate this

@actual_0xatul 4 жыл бұрын

I saw you were planning to make a video about RCE on twitter. When are you planning to publish it?

@InsiderPhD 4 жыл бұрын

It’s scheduled for the 28th right now :)

@onions5113 4 жыл бұрын

Thank you for sharing your video, but i have a question does automation is better than manual explore?

@InsiderPhD 4 жыл бұрын

Manual exploration is great especially when you start out, and as you become more confident you can then say 'okay what do I want to automate?' and you'll have a clearer idea of exactly what you want to do

@onions5113 4 жыл бұрын

@@InsiderPhD but automation is useful to when it comes to low bounty $100?

@onions5113 4 жыл бұрын

@@InsiderPhD or it depends on bug

@goooooo9197 4 жыл бұрын

really thxs u sister

@birb9254 4 жыл бұрын

What do you do about the subdomains that doesn't really do much that you collected during recon? and how do you stick to a program when you can only do so much in a website and never run out of things to do?

@InsiderPhD 4 жыл бұрын

I would start questioning whether or not a target is actually above my skill level, and especially for static websites or websites with limited user interaction for a beginner you’re likely to not find anything. I talked about giving up more in my last video

@birb9254 4 жыл бұрын

@@InsiderPhD okay i'll look into it. Many thanks

@maddo8293 4 жыл бұрын

Great video! The video sound is a bit low if you could fix that it would be awesome.

@talishgarg1151 4 жыл бұрын

How do i use like 2 accounts of some website with burp without logging out to show poc

@InsiderPhD 4 жыл бұрын

You can copy the cookies from one request and paste them when you repeat the request in burp :)

@mrx6555 4 жыл бұрын

Why you dont use linux?

@InsiderPhD 4 жыл бұрын

I use a lot of assistive software so Linux doesn’t really work for me. I don’t see any advantage, only disadvantages (more confusing because I am not used to it, doesn’t have the software I need, etc)