Finding Your First Bug: Manual IDOR Hunting

Hi everyone, welcome to the third video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target. In this video, we'll be talking about IDORs (Insecure Direct Object Reference), which is a fancy term for 'the application didn't authenticate an endpoint correctly'. These are great first bugs, they don't require any technical knowledge and you can just use burp to find them. 0:00 - Theory: what is an IDOR and how to find them 8:21 - Case studies: 7 examples of IDORs which have paid out 27:28 - Practical Burp: Looking at the Hacker101 CTF level "postbook" -- Case Studies -- Response program can create bounty table - $500: https://hackerone.com/reports/460920 [IDOR] Deleting other people's tasks - $300: https://hackerone.com/reports/293845 IDOR bug to See hidden slowvote of any user even when you dont have access right - $300: https://hackerone.com/reports/661978 Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts - $1,500: https://hackerone.com/reports/320173 and https://www.jonbottarini.com/2018/01/... Replace other user files in Inbox messages - $1,000: https://hackerone.com/reports/322661 Low Privileged user able to add new Geographical settings to the Admin account. - $750: https://hackerone.com/reports/420130 Validation message in Bounty award endpoint can be used to determine program balances - $1,500: https://hackerone.com/reports/293299 IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users - $10,500: https://hackerone.com/reports/415081 -- You Should Also Watch -- Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty) - STÖK -    • Burp Suite tutorial: IDOR vulnerability au...   -- Social Media -- Twitter:   / insiderphd