i have watched this video 1 and half month ago and i was able to identify a function prone to IDOR , i spent 20 days on that function and at the End i was able to bypass the access controls and view invoices, billing addresses, finance records, my report is triaged and waiting for bounty , thank you this video really gave me an Idea where to look for IDORs :) , But now i am watching it again since i started API hacking and i hope i will learn something new again in this video about API hacking
idor = Insecure Direct Object Reference which tells you fucking nothing . your voice is amazing im loving it and you are doing great. thank you for this.
Thank You so much i heard about IDOR somewhere but didn't understand that time. By watching your video it is so much clear to me now. Thank you so much
Please do! It's all I ask of my viewers who enjoy my content to please contribute back to the community, by sharing resources, talking to other newbie hackers, to write up interesting things they've found or even re-explain a resource for humans, there's a lot someone can contribute even if they haven't found their first bug yet.
Thank you for the great content, I am a beginner and would like to know how to create a working PoC to demonstrate how would an attacker use the idor vulnerability to attack? Thank you
An endpoint is just a URL which does something on a web app, like if you have mywebsite.com/users/changeProfilePicture which changes the profile picture, that's an endpoint. When I say find them I mean do things on the application to fill up Burp with lots of URLs until you find something with an ID!
Hello! Thank you so much for so many great videos. I especially like how all of them are geared towards becoming a real professional in the field. I do have a question, though: I've heard on your videos (and many others, like Stok's) that you mention using privileged (and unprivileged) accounts, alongside being signed out. I was wondering how do usually bug hunters get a privileged account, seeing as you usually can't just create one (you can usually create just an unprivileged user account). Does that mean only on programs that support that or is there usually a possibility to contact them and get a test high privilege account? Thanks!
Yeah you’re correct, when we say that we’re talking about applications with permission levels that we can access, so on an app like Wordpress we have access to admin, user, guest by creating our own blogs but for something like email we only have access to a user, so that’s all we can test.
Endpoint just means a webpage you can send stuff too. So what I’m saying is if you see something in burp like: /pages/admin/createPost you should replace the cookies of an admin user with lower permission users eg a guest user, I hope this helps!
@@InsiderPhD So you mean when we are in some sort of admin endpoint, replacing the admin's cookies with a lower permission user's cookies(for example, session id) is an example of IDOR?
I've been bug hunting for like a month now, I've been looking for IDORs, CSRFs, XSS, HTML injection, Open Redirects. I can't find any websites (domains and subdomains) on H1 or Bugcrowd vulnerable to these vulnerabilities. I admit though for XSS I only know the basics and how to use a payload list on burpsuite. But still I can't find anything, Any tips? Should I focus on the more advanced ones like RCE and SQL injection?
I think you just need to keep at it, I know it’s frustrating but they are there. Maybe look into a less crowded space like mobile? Might be worth a shot. Ignore SQL injection and RCEs, you won’t find one, they are for people with years of security experience. My top pieces of advice: 1) make sure you check everything, like even endpoints which may not be particularly useful 2) focus on bugs which can generate impact and be constantly on the lookout for them 3) Cast a wide net, and keep trying if you find public programs too difficult get invites to private programs via stuff like the hacker101 ctf 4) Find a niche, maybe learn mobile stuff, maybe go deep into learning a ton about APIs 5) keep trying! Bug hunting is harder than it looks but you will get there if you try
With IDORS, the entry point for IDORS can be used for other injection attacks. if an IDOR was a UID0=, and the UID was queuing the users db, then can you launch other injection attacks, like SQL injection or stoed XSS?
maybe other people will be a successful bug hunter in the future after watching the video. If it was me, after I got my first $10k from bounty, im gonna donated back to many education TH-camr who put free stuff like this. If you don't feel okay from taking patreon money, maybe put link to a charity organization that you like. Thanks for doing this! Looking forward for more videos!
I only ask that people pay it forward, write about a bug you find, get involved in the community, help purchase learning mateirals for others, mentor someone, give out some tips on twitter. I'm far more interested in people helping others to learn and join this community than money!
This is one of the finest videos I saw on this matter. I have a question, do you think that when pentesting android apps through Google Play program is it valid for bounty to find IDORs in the endpoints that android app uses (not in the android code itself)?
This is debatable, some programs will count that as the android app and some as the API. If the android app is in scope without excluding the API I would say that it is valid. I think it's a great easy way to get into android pentesting though! You can definitely find some low hanging fruit bugs!
@@InsiderPhD thank you so much. by the way, i'm currently on Intigrity and trying to find an Info Disclosure whilst watching your tips and tricks on how to do so. Good luck to me!
Very good content, i am glad to find such content. THANKSS!! Mam. One thing, why are u exhaling so heavily sometimes. Is it the excitement of capturing the flag or some other issue.
The best and most honest bug bounty hunter in the sec community, you have no idea about the help that you are doing to others .... thanks alot
"populate burp with admin endpoints then hit them all as a user..." a golden nugget for me, thanks!
i have watched this video 1 and half month ago and i was able to identify a function prone to IDOR , i spent 20 days on that function and at the End i was able to bypass the access controls and view invoices, billing addresses, finance records, my report is triaged and waiting for bounty , thank you this video really gave me an Idea where to look for IDORs :) , But now i am watching it again since i started API hacking and i hope i will learn something new again in this video about API hacking
NICE, now you need to unsubscribe because you are a pro ;)
Hi, i adore you report.
Please, help me, i am learning. I am studying only IDOR
I am going to watch every single video on your channel
your videos actually explain hacking the the purest and most direct way! I am learning soo much! I plan to literally memorise all your videos!
idor = Insecure Direct Object Reference which tells you fucking nothing .
your voice is amazing im loving it and you are doing great. thank you for this.
Thank You so much i heard about IDOR somewhere but didn't understand that time. By watching your video it is so much clear to me now. Thank you so much
you explain things so well and are verry thoughtfull of what its like to be a beginer , thank you
amazing video for bug hunters thankyou so much
You're amazing. Thanks for contributing to the community, I hope to be able to do the same one day :)
Please do! It's all I ask of my viewers who enjoy my content to please contribute back to the community, by sharing resources, talking to other newbie hackers, to write up interesting things they've found or even re-explain a resource for humans, there's a lot someone can contribute even if they haven't found their first bug yet.
Me when submitting a report: write everything carefully, double check, accept my report please.
The guy in 13:03 : Fix this!
Why u deleted your h1 account ??
@@cyberpirate007 no i am still here, hackerone.com/trieulieuf9?type=user
Really good proctical demo tbh even if it's a ctf I do find it very instructfull
Thank you for this great explanation
Thank you very much, for the explanation, keep up the good work!
really nice video im 15 and trying to learn bbh especially idors nice video
I'm noobie and this video is amazing for people like me, thanks!
Thank you for your work
Ohhh mike 069 * _ *
Very nicely explained. Thank you.
You are the first and best 🖤💯
Your video very easy to understand can you upload more video 😁😁
I really was confused about this IDOR term , but after watching this video it really help me a lot and it satisfy my points .. thanks again 🙏🏻
Nice explanation, really appreciate it. Thanks again
Very helpful. Keep making videos, please.
Thank you for the great content, I am a beginner and would like to know how to create a working PoC to demonstrate how would an attacker use the idor vulnerability to attack? Thank you
Great explanation Katie! Thanks!
You are amazing your videos are really helping me. Just one question what do you mean by find endpoint.
Thank you.
An endpoint is just a URL which does something on a web app, like if you have mywebsite.com/users/changeProfilePicture which changes the profile picture, that's an endpoint. When I say find them I mean do things on the application to fill up Burp with lots of URLs until you find something with an ID!
@@InsiderPhD Thank you for the reply
Super useful video, thanks
excellent video
thank you soo much i found my fist bug
Hello! Thank you so much for so many great videos. I especially like how all of them are geared towards becoming a real professional in the field. I do have a question, though: I've heard on your videos (and many others, like Stok's) that you mention using privileged (and unprivileged) accounts, alongside being signed out. I was wondering how do usually bug hunters get a privileged account, seeing as you usually can't just create one (you can usually create just an unprivileged user account). Does that mean only on programs that support that or is there usually a possibility to contact them and get a test high privilege account? Thanks!
Yeah you’re correct, when we say that we’re talking about applications with permission levels that we can access, so on an app like Wordpress we have access to admin, user, guest by creating our own blogs but for something like email we only have access to a user, so that’s all we can test.
Can anyone explain to me easily what she means when she's talking about endpoints? Thanks. 7:41
Endpoint just means a webpage you can send stuff too. So what I’m saying is if you see something in burp like: /pages/admin/createPost you should replace the cookies of an admin user with lower permission users eg a guest user, I hope this helps!
@@InsiderPhD So you mean when we are in some sort of admin endpoint, replacing the admin's cookies with a lower permission user's cookies(for example, session id) is an example of IDOR?
I've been bug hunting for like a month now, I've been looking for IDORs, CSRFs, XSS, HTML injection, Open Redirects. I can't find any websites (domains and subdomains) on H1 or Bugcrowd vulnerable to these vulnerabilities. I admit though for XSS I only know the basics and how to use a payload list on burpsuite. But still I can't find anything, Any tips? Should I focus on the more advanced ones like RCE and SQL injection?
I think you just need to keep at it, I know it’s frustrating but they are there. Maybe look into a less crowded space like mobile? Might be worth a shot. Ignore SQL injection and RCEs, you won’t find one, they are for people with years of security experience.
My top pieces of advice:
1) make sure you check everything, like even endpoints which may not be particularly useful
2) focus on bugs which can generate impact and be constantly on the lookout for them
3) Cast a wide net, and keep trying if you find public programs too difficult get invites to private programs via stuff like the hacker101 ctf
4) Find a niche, maybe learn mobile stuff, maybe go deep into learning a ton about APIs
5) keep trying! Bug hunting is harder than it looks but you will get there if you try
@@InsiderPhD Thank you so much, and thanks for your videos
It takes time to find your first one! It gets easier tho, the best thing you can do is keep trying.
With IDORS, the entry point for IDORS can be used for other injection attacks. if an IDOR was a UID0=, and the UID was queuing the users db, then can you launch other injection attacks, like SQL injection or stoed XSS?
Yup, absolutely, this is actually something in the OWASP top 10, as often they aren't sanitised properly :)
How can i find reports and write ups? Is viable study and find only studying this? I want only IDOR and access control
maybe other people will be a successful bug hunter in the future after watching the video. If it was me, after I got my first $10k from bounty, im gonna donated back to many education TH-camr who put free stuff like this. If you don't feel okay from taking patreon money, maybe put link to a charity organization that you like.
Thanks for doing this! Looking forward for more videos!
I only ask that people pay it forward, write about a bug you find, get involved in the community, help purchase learning mateirals for others, mentor someone, give out some tips on twitter. I'm far more interested in people helping others to learn and join this community than money!
I became WAY more interested once she started cussing. My attention was fading...and the keywords popped me right back in!
LMAO! I'll have to start swearing more!
@@InsiderPhD On a serious note I have watched most of your videos at this point! Really good content, likes and subs from me!
Great video
OMG you're the best, can you please make owasp top 10 hunting.
Soooooon(tm)
This is one of the finest videos I saw on this matter. I have a question, do you think that when pentesting android apps through Google Play program is it valid for bounty to find IDORs in the endpoints that android app uses (not in the android code itself)?
This is debatable, some programs will count that as the android app and some as the API. If the android app is in scope without excluding the API I would say that it is valid. I think it's a great easy way to get into android pentesting though! You can definitely find some low hanging fruit bugs!
what are Endpoints? i'm really confuse
'Endpoints' are the final URL that you access
So www.mywebsite.com/folder/ wouldn't be an endpoint but www.mywebsite.com/folder/file.php would be
@@InsiderPhD ohhh thanks alot...i was expecting it..you are my mentor in Bug bounty...thanks alot...
@@InsiderPhD Thank you for your explanation. As a newbie, I didn't know the meaning of Endpoint before found out this common.
Thank you for the video
I have been looking for IDOR for days now but couldn't find at least one very low... Any idea what i'm doing wroong?
Any tool to easily guess this different id parameter variables ?
Very useful!! Thankss
hello Katie. Is Intigrity limited to European hackers only?
Nope! It’s just they focus on European hackers! You can hack on any platform from anywhere :)
@@InsiderPhD thank you so much. by the way, i'm currently on Intigrity and trying to find an Info Disclosure whilst watching your tips and tricks on how to do so. Good luck to me!
This is good.. thanks
If you (Burp actually) finds "password in the URL" of GET is that a type of IDOR and how do I proceed?
You're the best!
You are fucking amazing! sending all positive vibrations your way :)
why everything is distorted at1080p
Older video and I wasn’t great at video editing! Should I remake it? 🤔
@@InsiderPhD it's OK
The word should be Authorization rather than authentication for IDORs.
Other than that, nice video.
Thank you for the correction!
Need that doc
Very good content, i am glad to find such content. THANKSS!! Mam.
One thing, why are u exhaling so heavily sometimes. Is it the excitement of capturing the flag or some other issue.
Haha I'm just asthmatic and a big nervous when I make videos!
you are amazing. great content. how can i contact with you?
you are great
ohhh thank you so
I cant stop laughing, LMAO
COOKIES
If i just replace the cookies and get 200 ok
Then get access to the account , it will consider an idor
Please help!
I recently reported one like that
It will be my first bug !!