Finding Your First Bug: Manual IDOR Hunting

Hi everyone, welcome to the third video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.

In this video, we'll be talking about IDORs (Insecure Direct Object Reference), which is a fancy term for 'the application didn't authenticate an endpoint correctly'. These are great first bugs, they don't require any technical knowledge and you can just use burp to find them.

0:00 - Theory: what is an IDOR and how to find them
8:21 - Case studies: 7 examples of IDORs which have paid out
27:28 - Practical Burp: Looking at the Hacker101 CTF level "postbook"

-- Case Studies --
Response program can create bounty table - $500: https://hackerone.com/reports/460920
[IDOR] Deleting other people's tasks - $300: https://hackerone.com/reports/293845
IDOR bug to See hidden slowvote of any user even when you dont have access right - $300: https://hackerone.com/reports/661978
Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts - $1,500: https://hackerone.com/reports/320173 and https://www.jonbottarini.com/2018/01/...
Replace other user files in Inbox messages - $1,000: https://hackerone.com/reports/322661
Low Privileged user able to add new Geographical settings to the Admin account. - $750: https://hackerone.com/reports/420130
Validation message in Bounty award endpoint can be used to determine program balances - $1,500: https://hackerone.com/reports/293299
IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users - $10,500: https://hackerone.com/reports/415081

-- You Should Also Watch --
Burp Suite tutorial: IDOR vulnerability automation using Autorize and AutoRepeater (bug bounty) - STÖK -    • Burp Suite tutorial: IDOR vulnerability au...  

-- Social Media --
Twitter:   / insiderphd