Finding Your First Bug: Manual IDOR Hunting

Рет қаралды 75,400

Күн бұрын

Hi everyone, welcome to the third video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.
In this video, we'll be talking about IDORs (Insecure Direct Object Reference), which is a fancy term for 'the application didn't authenticate an endpoint correctly'. These are great first bugs, they don't require any technical knowledge and you can just use burp to find them.
0:00 - Theory: what is an IDOR and how to find them
8:21 - Case studies: 7 examples of IDORs which have paid out
27:28 - Practical Burp: Looking at the Hacker101 CTF level "postbook"
-- Case Studies --
- Response program can create bounty table - $500: hackerone.com/reports/460920
- [IDOR] Deleting other people's tasks - $300: hackerone.com/reports/293845
- IDOR bug to See hidden slowvote of any user even when you dont have access right - $300: hackerone.com/reports/661978
- Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts - $1,500: hackerone.com/reports/320173 and www.jonbottarini.com/2018/01/...
- Replace other user files in Inbox messages - $1,000: hackerone.com/reports/322661
- Low Privileged user able to add new Geographical settings to the Admin account. - $750: hackerone.com/reports/420130
- Validation message in Bounty award endpoint can be used to determine program balances - $1,500: hackerone.com/reports/293299
- IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users - $10,500: hackerone.com/reports/415081
-- You Should Also Watch --
Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty) - STÖK - • Burp Suite tutorial: I...
-- Social Media --
- Twitter: / insiderphd

Пікірлер: 85

@ark3r745 4 жыл бұрын

The best and most honest bug bounty hunter in the sec community, you have no idea about the help that you are doing to others .... thanks alot

@ggmaxx66 3 жыл бұрын

"populate burp with admin endpoints then hit them all as a user..." a golden nugget for me, thanks!

@encodedguy9182 4 жыл бұрын

Thank You so much i heard about IDOR somewhere but didn't understand that time. By watching your video it is so much clear to me now. Thank you so much

@bobmatley6138 3 жыл бұрын

your videos actually explain hacking the the purest and most direct way! I am learning soo much! I plan to literally memorise all your videos!

@myname-mz3lo 3 жыл бұрын

you explain things so well and are verry thoughtfull of what its like to be a beginer , thank you

@eed5278 4 жыл бұрын

You're amazing. Thanks for contributing to the community, I hope to be able to do the same one day :)

@InsiderPhD 4 жыл бұрын

Please do! It's all I ask of my viewers who enjoy my content to please contribute back to the community, by sharing resources, talking to other newbie hackers, to write up interesting things they've found or even re-explain a resource for humans, there's a lot someone can contribute even if they haven't found their first bug yet.

@yodamaxwell 2 жыл бұрын

Thank you very much, for the explanation, keep up the good work!

@abj1985 2 жыл бұрын

Very nicely explained. Thank you.

@mohitnegi552 3 жыл бұрын

amazing video for bug hunters thankyou so much

@rajatdutta8365 3 жыл бұрын

Nice explanation, really appreciate it. Thanks again

@StefanRows 4 жыл бұрын

Great explanation Katie! Thanks!

@lilp4p1 3 жыл бұрын

Really good proctical demo tbh even if it's a ctf I do find it very instructfull

@regulator5 4 жыл бұрын

Very helpful. Keep making videos, please.

@anujpatel1654 2 жыл бұрын

I am going to watch every single video on your channel

@cutyoursoul4398 3 жыл бұрын

Super useful video, thanks

@droidhackerr 3 жыл бұрын

You are the first and best 🖤💯

@aashikyadav4439 4 жыл бұрын

idor = Insecure Direct Object Reference which tells you fucking nothing . your voice is amazing im loving it and you are doing great. thank you for this.

@m.alaiady3627 4 жыл бұрын

I really was confused about this IDOR term , but after watching this video it really help me a lot and it satisfy my points .. thanks again 🙏🏻

@Mike-vq7hl 3 жыл бұрын

Thank you for your work

@jadigger8695 3 жыл бұрын

Ohhh mike 069 * _ *

@santiagosurt3825 Жыл бұрын

I'm noobie and this video is amazing for people like me, thanks!

@justtsanjint626 4 жыл бұрын

Thank you for the video

@theodorpapa4710 Жыл бұрын

really nice video im 15 and trying to learn bbh especially idors nice video

@Agung-yk7hr 4 жыл бұрын

Your video very easy to understand can you upload more video 😁😁

@olivia7988 3 жыл бұрын

Very useful!! Thankss

@nornsalon3646 4 жыл бұрын

You're the best!

@benasin1724 4 жыл бұрын

Great video

@opeyemei6011 4 жыл бұрын

This is good.. thanks

@trieulieuf9 4 жыл бұрын

Me when submitting a report: write everything carefully, double check, accept my report please. The guy in 13:03 : Fix this!

@cyberpirate007 3 жыл бұрын

Why u deleted your h1 account ??

@trieulieuf9 3 жыл бұрын

@@cyberpirate007 no i am still here, hackerone.com/trieulieuf9?type=user

@chrisMa001 3 жыл бұрын

Thank you for the great content, I am a beginner and would like to know how to create a working PoC to demonstrate how would an attacker use the idor vulnerability to attack? Thank you

@steev910 4 жыл бұрын

ohhh thank you so

@rushic24 4 жыл бұрын

OMG you're the best, can you please make owasp top 10 hunting.

@InsiderPhD 4 жыл бұрын

Soooooon(tm)

@nikhilmaan9498 2 жыл бұрын

thank you soo much i found my fist bug

@hossamshady1383 4 ай бұрын

you are great

@alexnieto3136 4 жыл бұрын

This is one of the finest videos I saw on this matter. I have a question, do you think that when pentesting android apps through Google Play program is it valid for bounty to find IDORs in the endpoints that android app uses (not in the android code itself)?

@InsiderPhD 4 жыл бұрын

This is debatable, some programs will count that as the android app and some as the API. If the android app is in scope without excluding the API I would say that it is valid. I think it's a great easy way to get into android pentesting though! You can definitely find some low hanging fruit bugs!

@baravind719 4 жыл бұрын

Need that doc

@ahmed_gamal2006 3 жыл бұрын

You are amazing your videos are really helping me. Just one question what do you mean by find endpoint. Thank you.

@InsiderPhD 3 жыл бұрын

An endpoint is just a URL which does something on a web app, like if you have mywebsite.com/users/changeProfilePicture which changes the profile picture, that's an endpoint. When I say find them I mean do things on the application to fill up Burp with lots of URLs until you find something with an ID!

@ahmed_gamal2006 3 жыл бұрын

@@InsiderPhD Thank you for the reply

@AndrejMoharWeb 4 жыл бұрын

Hello! Thank you so much for so many great videos. I especially like how all of them are geared towards becoming a real professional in the field. I do have a question, though: I've heard on your videos (and many others, like Stok's) that you mention using privileged (and unprivileged) accounts, alongside being signed out. I was wondering how do usually bug hunters get a privileged account, seeing as you usually can't just create one (you can usually create just an unprivileged user account). Does that mean only on programs that support that or is there usually a possibility to contact them and get a test high privilege account? Thanks!

@InsiderPhD 4 жыл бұрын

Yeah you’re correct, when we say that we’re talking about applications with permission levels that we can access, so on an app like Wordpress we have access to admin, user, guest by creating our own blogs but for something like email we only have access to a user, so that’s all we can test.

@bugsbunny6286 4 жыл бұрын

Any tool to easily guess this different id parameter variables ?

@mooreprr8067 2 жыл бұрын

You are fucking amazing! sending all positive vibrations your way :)

@Nick-cy2qd 3 жыл бұрын

If you (Burp actually) finds "password in the URL" of GET is that a type of IDOR and how do I proceed?

@sarahconnorh4609 2 жыл бұрын

I have been looking for IDOR for days now but couldn't find at least one very low... Any idea what i'm doing wroong?

@bobmatley6138 3 жыл бұрын

With IDORS, the entry point for IDORS can be used for other injection attacks. if an IDOR was a UID0=, and the UID was queuing the users db, then can you launch other injection attacks, like SQL injection or stoed XSS?

@InsiderPhD 3 жыл бұрын

Yup, absolutely, this is actually something in the OWASP top 10, as often they aren't sanitised properly :)

@BearMeOut 4 жыл бұрын

maybe other people will be a successful bug hunter in the future after watching the video. If it was me, after I got my first $10k from bounty, im gonna donated back to many education KZbinr who put free stuff like this. If you don't feel okay from taking patreon money, maybe put link to a charity organization that you like. Thanks for doing this! Looking forward for more videos!

@InsiderPhD 4 жыл бұрын

I only ask that people pay it forward, write about a bug you find, get involved in the community, help purchase learning mateirals for others, mentor someone, give out some tips on twitter. I'm far more interested in people helping others to learn and join this community than money!

@tommysuriel 4 жыл бұрын

I've been bug hunting for like a month now, I've been looking for IDORs, CSRFs, XSS, HTML injection, Open Redirects. I can't find any websites (domains and subdomains) on H1 or Bugcrowd vulnerable to these vulnerabilities. I admit though for XSS I only know the basics and how to use a payload list on burpsuite. But still I can't find anything, Any tips? Should I focus on the more advanced ones like RCE and SQL injection?

@InsiderPhD 4 жыл бұрын

I think you just need to keep at it, I know it’s frustrating but they are there. Maybe look into a less crowded space like mobile? Might be worth a shot. Ignore SQL injection and RCEs, you won’t find one, they are for people with years of security experience. My top pieces of advice: 1) make sure you check everything, like even endpoints which may not be particularly useful 2) focus on bugs which can generate impact and be constantly on the lookout for them 3) Cast a wide net, and keep trying if you find public programs too difficult get invites to private programs via stuff like the hacker101 ctf 4) Find a niche, maybe learn mobile stuff, maybe go deep into learning a ton about APIs 5) keep trying! Bug hunting is harder than it looks but you will get there if you try

@tommysuriel 4 жыл бұрын

@@InsiderPhD Thank you so much, and thanks for your videos

@fuckitimsayingit3335 4 жыл бұрын

It takes time to find your first one! It gets easier tho, the best thing you can do is keep trying.

@almmathis 4 жыл бұрын

I became WAY more interested once she started cussing. My attention was fading...and the keywords popped me right back in!

@InsiderPhD 4 жыл бұрын

LMAO! I'll have to start swearing more!

@almmathis 4 жыл бұрын

@@InsiderPhD On a serious note I have watched most of your videos at this point! Really good content, likes and subs from me!

@mubashirparay545 4 жыл бұрын

Very good content, i am glad to find such content. THANKSS!! Mam. One thing, why are u exhaling so heavily sometimes. Is it the excitement of capturing the flag or some other issue.

@InsiderPhD 4 жыл бұрын

Haha I'm just asthmatic and a big nervous when I make videos!

@w0lverinew0lverine19 4 жыл бұрын

you are amazing. great content. how can i contact with you?

@syedumararfeen8146 4 жыл бұрын

The word should be Authorization rather than authentication for IDORs. Other than that, nice video.

@InsiderPhD 4 жыл бұрын

Thank you for the correction!

@swaysthinking838 4 жыл бұрын

Can anyone explain to me easily what she means when she's talking about endpoints? Thanks. 7:41

@InsiderPhD 4 жыл бұрын

Endpoint just means a webpage you can send stuff too. So what I’m saying is if you see something in burp like: /pages/admin/createPost you should replace the cookies of an admin user with lower permission users eg a guest user, I hope this helps!

@swaysthinking838 4 жыл бұрын

@@InsiderPhD So you mean when we are in some sort of admin endpoint, replacing the admin's cookies with a lower permission user's cookies(for example, session id) is an example of IDOR?

@rawkstar952 3 жыл бұрын

hello Katie. Is Intigrity limited to European hackers only?

@InsiderPhD 3 жыл бұрын

Nope! It’s just they focus on European hackers! You can hack on any platform from anywhere :)

@rawkstar952 3 жыл бұрын

@@InsiderPhD thank you so much. by the way, i'm currently on Intigrity and trying to find an Info Disclosure whilst watching your tips and tricks on how to do so. Good luck to me!