Bug bounty tips for broken access control on BurpSuite Part 1: Using match replace and Authmatrix
ฝัง
- เผยแพร่เมื่อ 3 ส.ค. 2024
- In this tutorial, you will learn how I test for broken access control and achieve privilege escalation on web applications. I go from a manual to semi-automated approaches.All the testing approaches are free and accessible to everyone, not just Burp Pro users.
📙 Become a successful bug bounty hunter: thehackerish.com/a-bug-bounty...
🆓 Download your FREE Web hacking LAB and starting hacking NOW: thehackerish.com/owasp-top-10...
🌐 Read more on the blog: thehackerish.com
💪🏻 Support this work: thehackerish.com/how-to-support
- Facebook Page: / thehackerish
- Follow us on Twitter: / thehackerish
- Listen on Anchor: anchor.fm/thehackerish
- Listen on Spotify: open.spotify.com/show/4Ht8jEb...
- Listen on Google Podcasts: podcasts.google.com/?feed=aHR...
Soundtrack:
Daily Beetle by Kevin MacLeod is licensed under a Creative Commons Attribution license (creativecommons.org/licenses/... incompetech.com/music/royalty-... incompetech.com/
Thumbnail:
Photo by Chris Barbalis on Unsplash
Your tutorials are great, please keep posting! I barely comment on youtube, but you deserve the encouragement.
Oh! Thanks a lot! I am humbled
Amazing tutorial mate! Thanks! :)
Thanks a bunch for the sessions plugin recommendation! :3
Good videos 😊 keep posting and share your knowledge
Thanks!
The videos are great!
Glad you like it!
Good tutorial dude 😁 Just a hint for other curious souls - if you are willing to inspect what the JWT token contains, you can visit JWT.io and paste your token and you're good to go.
Yeah, or use JWT Web Tokens from BurpSuite
@@thehackerish true.
awesome
Dude! more videos please....
awsome vedio
awsome. a lot of new information. I appreciate your efforts
Enjoy!
I think renaming this video as Using Autorize and Autorepeater would fetch you more views
Good idea! I will add them
1- send the original requests to authmatrix
2- set the attacker auth headers and cookies to authmatrix (add user and send cookie )
3- RUN
Can someone recommend another extension for Firefox, please?
I've gotta doubt..
I actually used auth bearer and succeeded but couldn't report it since it is out of scope... my doubt is , can i just report if this is actually possible??
wouldn't they ask, "could you explain how you get the auth bearer in the first place"? or would they just reward me??
The video is super-awesome and i realized that i found a bug finally!
BTW can you please clear my doubt if you/someone sees this comment??
Thank you very much for sharing your knowledge
The exploit is not against the Bearer token. The vulnerability is the IDOR where the ID is not checked. Using the JWT token is just a way to automate the discovery of IDORs using two users, hence two JWTs. If you can replay the same request against a resource which doesn't belong to the user, then it is worth reporting. Otherwise, it is not a vulnerability.
I hope this helps.
@@thehackerish yeah, but I was able to replace auth bearer, ❤️
Does the bug has high impact if a refresh token is used? Also how to prevent it if ur access token gets stolen?
If you can steal the JWT token, you can also do the same for the refresh token since they are typically stored in the web browser. To prevent that, you need to make sure you don't have XSS, implement CSP for an added security and implement proof-of-posession, which is documented in the JWT standard.
@@thehackerish thankyou so much for the video. Great content.
Can you put a videos on all best extender and this video until authmatrix is good and after that little bit confusing and please try to explain that on other video
Sorry for the confusion. Tell me what you didn't understand exactly to see what I can do.
@@thehackerish authmatrix itself confusing and the color showing red and green and if you shortly that enough please explain more
And please post videos of other best extenders
If i am able to use victim's jwt in my account and able to change any info so it will be eligible or not
Nope, the video explains how to find broken access control using two test accounts. If you can use jwt1 to access/edit/delete resources of user2, then it's an issue.
@@thehackerish like i am copying the jwt of account A and then using this Jwt of account A in Account B. And session of Account A is destroyed after loging into Account B but Somehow I am still able to see User A PII info and able to change its profile picture, so can I report it ?
@@dishant_singh4556 JWT have an expiration time. Generally, when you logout it will still work for some time unless the dev has blacklisted the jwt upon logout. If you report it, you risk getting informative or a low, but read the policy for any mention of session logout being out of scope.
How can i find bug or hack banking sites, can you explain with your video
Check the pentesting playlist out, tons of videos on just that
what the impact of broken access control
It depends on the vulnerable request. Examples: access or update profile data of other users, access admin features, etc.
How to get AUTH header?
From your test accounts. The objective here is to probe for IDORs, not getting AUTH headers.
I want to learn bug bounty... Can you help me... please 🙏🙏
Yes, read as much as you can and never stop hacking!
How do hackers hack a web application and encrypt all devices connected to that application? Like what happened with the "FireEye" company ,do u know something about this tutorial?
I am very interested to know how this kind of cyber attack happens،
And thank you for helpfully videos
Threat intelligence reports are a great source of knowledge for you. I suggest you read some...from FireEye itself :)
Yes, this is true, but there is no detail that I need, I tried to analyze the reports, but I did not get the required knowledge, please, teacher, post a set of lessons on how to do this and thank you again, I look forward to seeing something similar in your channel
But the question is how will i get victim token.
That's the wrong question. You use this technique to test broken access control between two test accounts
Ahm hello just wanna ask something cause its so complex.
If i can set victim user account to private/public by changing my authorization header into the victim. Is this a valid bug? Cause i dont understand how to show the impact cause wht if they ask me how did i get the auth header value?
I don't think this is a bug unless you can choose the account by an ID. Generally, the feature you mention would need only the JWT to process the request.
@@thehackerish but why here you just change the auth header value? Can you explain to me whats the diffirence thanks
@@angeldavatos9800 Sure, here I am using the JWT swapping technique to test if I can control the victim's basket, which is referenced by ID.
first !
Second
third
Zero😂
The main problem is.. When we submit this kind of vulnerability.. They will ask one question.. How the jwt token obtained..😂😂 Lol😂
It is not about the JWT, but the identifier that suffers from IDOR
@@thehackerish What identifier are you referring to? Isn't any identifier irrelevant if there's no way for an attacker to get the JWT in the first place, the identifier can have all the IDORs it likes if it's not possible for anyone to get the victims JWT. What am I missing here?
@@0xbitbybit the point is not the JWT, it's the data accessible by userA that belong to userB. Both JWTs are linked to test accounts to help broken access control testing