[Part II] Bug Bounty Hunting for IDORs and Access Control Violations
ฝัง
- เผยแพร่เมื่อ 4 ส.ค. 2024
- Now that we understand how to test the boundaries of an application for IDORs, now we will do the same for hunting Access Control Violations. For today's video, we dig into the Pantheon program on BugCrowd.
00:00 - Intro
00:18 - Review IDORs vs. Access Control Violations
02:18 - Access Control Violation Examples
07:22 - Why Hunt for Access Control Violations?
12:00 - Shut Up and Hunt, Already!
12:13 - Exploring Pantheon's Program on Bugcrowd
15:00 - Getting to Know Pantheon's Auth
16:22 - Understanding Pantheon's Scope
17:12 - How to Sign Up for an Account
17:24 - Using Bugcrowd's Email Forwarding
18:25 - Creating our First Account
20:50 - Notes are Mandatory
21:39 - Setting Up Burpsuite
23:33 - Getting to Know the Application
24:16 - Weird AI Art Animation
24:50 - Defining the Environments
29:50 - Creating a Team Workspace
31:28 - Understanding the Granular Roles
41:09 - Creating Accounts for Each Role
46:16 - Finding Differences Between Roles
47:21 - Matching Differences to Mechanisms
48:55 - Finding a Mechanism to Target
51:20 - Expecations for Access Control Testing
54:00 - Understanding Our Target Mechanism
57:30 - What is GraphQL?
1:01:55 - Understanding the HTTP Request to GraphQL
1:04:40 - Understanding the Session Cookie
1:12:35 - Testing the Session Cookie
1:23:49 - What We Know So Far...
1:24:55 - Looking For Targets Outside of GraphQL
1:26:38 - Running an Authenticated Crawl in Burpsuite
1:28:24 - Getting to Know the Application (Part 2)
1:30:51 - Access Control Testing on "Create Site" Mechanism
1:33:35 - Burpsuite Discover Content
1:35:00 - Identifying GraphQL Operations
1:37:36 - Fuzzing For GraphQL Operations w/ Intruder
1:38:38 - Getting Ready For Testing
1:47:50 - Blindly Testing GraphQL Operations
1:57:19 - Understanding the Function of the GraphQL Operations
2:03:15 - Testing GraphQL Operations Based on Unauthorized Mechanisms
2:10:05 - Testing GraphQL Operation With Granular Role Permissions
2:12:52 - Summarizing Everything We Learned
2:14:30 - Thoughtful Testing and Final Thoughts
2:17:08 - Wrap Up
Discord - / discord
Hire Me! - ars0nsecurity.com
Watch Live! - / rs0n_live
Free Tools! - github.com/R-s0n
Connect! - / harrison-richardson-ci...
Thanks man , yet again delivering exactly what we need , thankyou for helping the community out
you got a subscription man. your content is much more amazing than other people .. its really helpful
What an awesome TH-cam for Bugbounty Hunter, specifically for beginners like me.
Thanks, man.
I said it before under another video. Your videos are among the few, if not the only ones, that show real BugBunty hunting. What's particularly interesting is the insight into your head and the structure of your approach.
Keep it up, I love it... greetings from Europe and Germany in particular. 🥷
I really can’t thank you enough. I may not understand everything now but I believe as I continue watching and taking notes, I will learn a lot that will improve my BB game. Thank you very much 🙏🏾
Can we learn together because I also started BB but need someone to ask help or anything. If you don't mind we do bb together or atleast learn together
@@MrAwesome9004 sure why not. It will be my pleasure.
Let's go .any social media account or something to discussed there
@@bertrandfossung1216Discord will be fine for learning and to do bb together as well
Can also share your HTB or THM profile so I can send friend request
Thanks man, hope you and your family have a great holiday weekend :)
Keep doing bro, you are doing amazing work for the community ❤.
thank you so much i was waiting for your videos :) finally yes!
Thanks for the video. I will sit and watch
i was waiting for this! thanks man
I started following you around a month and your content never disappoint me..............thanks for providing fruitful content.............Lots of love from Nepal
🥰
Thank you so much for everything you have doing for us
Thank you very much. Awesome as always 🦾
Awesome
Amazing 🤩 exactly what I need, examples from real websites 💕
waiting for part 3 thanks a lot best video on the youtube
The most thorough tutorial I've come across. We can't thank you enough for giving back to the community the way you have! Quick noob question: is your framework considered "scanning" or when a company on a platform states "no automation", then does ars0n-framework fall in that category?
Awesome content. Learn a lot.
Amazing video🔥
we really want more videos about deep dive and logic bugs thank you
Very good content like this a lot!
Please continue making video's like this for csrf and xss and maybe some short vids for file uploads
Thank you so much for the effort.
Sir you can use the Firefox Multi-Account Containers extension for multiple accounts Logged in same time !
waiting for this😀
待ってました!
finally, new video came.
Your content is really awesome love form 🇮🇳
amazing content, i learned a lot with this real world demostrations. Waiting for the injection testings if youre thinking to do it!
I'm working on Client-Side Injection Testing right now :)
Thank you so much
Here it comes...🔥🔥🔥
Love these video's. Only thing i would change is keeping the microphone a little closer to yourself, because now your keyboard is really loud for me. Keep up the good work
Really Great Contetn ♥
Thank you very much!
Your videos are very helpful for newbies in bug bounty, I am requesting you to please continue the video where you have put notes for SSRF AND INJECTION VULNERABILITIES possible.
Nice video
At timestamp 1:45:32 You were wondering why you didnt see your graphql requests. It was because you had your requests sorted by "Method".
Just incase you were still wondering.
By the way, great content and i am going to watch every single livestream and i hope there is a way we can get notified about livestreams so i can always join and follow along in real time
Thank you so much sir
Thank u man
Learned a lot from you a great resource which i found over the internet
Great video rs0n! Thanks
I would like to see how you test SSRF on that pointer, please.
Hey Everyone! Just want to give a quick update on my IDORs and Access Controls Part III video:
As I'm recording this video, I'm realizing that this will end up being another 4-5 hour recording 😨, and as much as I want to get this video out to the community, I also don't want to rush it.
Now that we've got the basic knowledge from the last two videos, I think I have a really great opportunity to take my time and demonstrate a very effective and cohesive methodology. Then downside is that it simply takes time to get all that knowledge in the video.
I promise I will get this video out to y'all as soon as I can! However, I also promise not to rush out an inferior video just to keep my numbers up in the algorithm, which hopefully is better for everyone!
Thx!
el mejor!!
Hello sir,
i have a full understanding concept of Idor but I did not know how i choose a target and how I can start with burp suite or Owasp Zap. did you show how to find Idor in this tutorial?
Hey what appends if you actually find a vuln during these?
Hi mate, this is really the situation that even automatic vehicles miss. I think artificial intelligence will not be able to end a weakness like Idor, at least in the short term, because serious logic needs to be established here.
could you please provide free alternative to some of the functuions used in burp pro thanks alot
Please we need videos on the OWASS Top 10 on live targets
I definitely plan on going through all of them, eventually! This video serious covers No. 1 on the list, Broken Access Control :)
U r the guy man....i think these are the only live truth bug hunting vedios..yah sure you will reach 8M as freecodecamp....🎉
You can isolate the sessions by using Firefox containers instead of opening a private window or a different browser
1:38:09 if we checked if introspection is enabled or not this will be a great step as well
Also there's an amazing firefox extension that helps with opening multiple accounts called PwnFox you don't need to open multiple browsers for multiple account only 1 firefox is enough :)
Appreciate your hard work, GREATE VIDEO
Hello rson are you still doing 1on1 coaching
Can you share notes of this video
Hi Richard , wasn't using burp suite prohibited in the rules ?
Hey @mafiadesneakers, this is a GREAT question and something I should have addressed a bit better in the video. Thank you for asking this, I'm sure there were several others thinking the same thing!
Pantheon does say that you are prohibited from:
-Use of automated application scanners (OWASP Zap, Burp Suite) in attack mode.
This means that any type of Active Scanning is not allowed against their application. The reason for this is the organization is concerned about downtime if an injection attack, or just the volume of requests, became to much for their servers. However, using Burpsuite to manage your sitemap, send requests w/ Repeater, etc. is 100% fine.
They also say you are prohibited from:
-Exceeding a rate limit of 1 request per second for all scripted / API tests.
This is the reason I made sure to mention the "Low and Slow" resource pool a few times, including how to set it up.
As long as you are not sending more than 1 request a second, and you are not performing active scanning, you are good to go!
why don't you use autorize burp extension
we wanna your methodology video 🖐
But in the end you are not find the vulnerability? …you just conveyed if a developer or team member become yes ..then there is a vulnerability…this very basic to know
We have part 3 ?
its january..part 3 bro?
The community overwhelmingly requested me to do the Client-Side Injections video before Part 3 so I shuffled a few things around. Part 3 of this series should be out in the next week or two!
01:27:43 WTF Man, what is that FBI thing
hey harrison make videos some faster man
Thanks rs0n, Also can you please link your discord 😊
Is it not showing at the bottom of the Description?
I'll post it here, as well: discord.gg/AuruXMXJKA
Thanks man you helped us a lot 🤍