Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
[Part I] Bug Bounty Hunting for IDORs and Access Control Violations | rs0n_live | YouTubeToText
YouTube Transcript: [Part I] Bug Bounty Hunting for IDORs and Access Control Violations
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
This content provides a detailed guide on identifying and understanding Indirect Object References (IDOR) and Access Control Violations, emphasizing their distinct nature and importance for bug bounty hunters, especially beginners.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
all right so today I want to talk about
uh indirect object references and also
Access Control violations uh so we're
going to do some live hunting of those
vulnerabilities uh we're also going to
look at the differences between the two
I see a lot of researchers especially
when they're first starting out they uh
like to combine these two
vulnerabilities together and they're
really completely different um not just
in in how they manifest in the
application and how to defend against
them but also the methodology to find
these vulnerabilities the uh techniques
that we're going to use to show impact
in these vulnerabilities uh is is very
very different so um if you are looking
for your first uh valid bug uh if you're
just getting started on bug Bounty
research or if you're just kind of
looking to to get traction this is the
video for you I cannot emphasize that
enough indirect object references and
access control violations are the
perfect bug for anybody that's starting
out it's looking to get their first bug
to focus on uh the reason for that is
it's very very very difficult to do
automated testing for these types of
vulnerabilities just because it's all
contextual to the application you have
to understand the larger picture and
automated scanners you know obviously
struggle to do that the other reason is
that uh you know just be honest with you
idor and access control violations are
not typically thought of as fun
vulnerabilities to to hunt for you know
most people they like to uh take these
complex payloads and throw them at
different attack vectors and uh they
love that you know big dopamine hit that
they get when when one of those payloads
works and they get a cross- site
scripting alert to fire or you know
especially a shell to connect or some
something like that um but modern web
applications are not really too
concerned with uh injection attacks as
much as they are an attacker finding
some way to get access to the data
within the database that really is the
the Crown Jewel uh for for attackers on
Modern SAS applications just because
most of them are hosted in the cloud and
you've got function as a service so you
know an application is probably not a
monolith or a large application running
on a static server it's probably
thousands of microservices that are
running on a function as a service uh
platform like AWS Lambda or something
like that so getting remote code
execution or some type of uh injection
technique to get a foothold on those AWS
lambdas to function as a service uh
platform gives me a very limited scope
very limited uh exploit options uh from
an attacker perspective whereas if I'm
able to manipulate the logic within the
application to access data from the
customer database that I'm not supposed
to be able to access well that is
devastating to a SAS company uh and
that's what we're going to be looking at
at doing today uh specifically uh with
indirect object references we are going
to be looking at accessing data that we
shouldn't be able to access but also
with Access Control violations and this
is the fundamental difference between
the two Access Control violations you
are uh accessing mechanisms you're able
to utilize a mechanism within the
application that your user or user role
should not be able to access now that
certainly can manifest in your ability
to read data that you should not be able
to read right if you have the ability to
access some type of read mechanism that
your user role should not be able to
access and as a result you can read
sensitive data that you shouldn't be
able to that may appear to be an idor an
indirect object reference but uh the
fundamental difference is that you're
accessing a mechanism so the the failure
is validating your user or your user
role's ability to leverage that
mechanism to access the data whereas an
idore or an indirect object reference is
a failure by the application to validate
that a user essentially uh is authorized
uh to utilize a specific ID to access a
larger subset of sensitive data um I
know it sounds complicated when we're
just talking about it and that's why I
want to jump in as quickly as possible
but a really easy example of both of
them is let's say for an idor an
indirect object reference first of all
uh let's say that I'm able to uh pull up
my user profile on a web page and that
has my name and my email Etc
um and that is is access by when I load
the page the uh there's an HTTP request
that sends my user ID to the server and
the server idid or the server uses that
ID to access a larger subset of data
associated with my profile so I should
only be able to see this subset of data
uh when I log into that profile page for
my specific profile if I were to give
any other users ID uh there should be a
mechanism on the back end to uh look and
see okay was this the specific users's
ID do they have permissions to access
this uh larger subset of sensitive data
for a different user and in that case
the answer would be no and the
vulnerability would be well if if
they're not validating that and they're
just simply returning uh the larger
subset of data based on that ID being
set by the user without validating that
user is is uh authorized to see that
data that would be your indirect object
reference so you're specifically
targeting some type of an identifier or
you know unique code that is used to
pull a larger subset uh including a
larger subset of data including
sensitive data from the database um an
access control violation on the other
hand see that is not an access control
violation because you are authorized as
a user to access the mechanism that
allows you to read profile information
the problem is the application wasn't
validating that you have ownership of
that data set based on the ID you
provided uh but let's say that there's
two different roles in an application
now and one is a user and the other is
an admin and the admin has this
additional mechanism that is not
available to users to where they can go
in and look at the sensitive data of
every user that's in the application
it's fairly common uh well now as a
regular user if I'm able to somehow
access that mechanism that should be
validating no no no this user this is a
user this is not an admin so they
shouldn't be able to leverage this
mechanism to access data uh but in this
case I am able to leverage that through
some sort of bypass uh and get access to
other user sensitive data the result is
the same right I I'm still only able to
access sensitive data for other users
but this is happened in a completely
different way because the application is
not validating my role when I'm trying
to access the mechanism so hopefully
that's a good example of how idor and
access control violations may seem very
similar but they're actually completely
completely different in methodology
completely different in implementation
and uh really really important that you
understand those differences so that
you're when you're hunting for them
you're covering all your bases I've seen
a lot of researchers that will only hunt
for idors and think they've covered
access controls and obviously vice versa
so um anyway that's what we're going to
be looking for both today and we'll go
ahead and start by looking for indirect
object references in uh some of the
public Starbucks platforms here so let's
go ahead and get this rolled over and
we'll get started so when you're looking
for a bug Bounty program that's a good
uh good program to hunt for idors what
you're looking for first of all it has
to have authenticated testing uh and
more importantly you have to be able to
get multiple different accounts so best
case scenario you can do
self-registration that's typically what
I look at um we can use our hacker one
email to go in and actually register
those and test the boundaries between
them so um that's the reason I've chosen
Starbucks as one of these each of their
Pages has it's very easy to go and make
multiple different accounts counts by
Design um so it makes it very easy to to
go in and do this testing the other
thing I like about Starbucks is it has a
huge attack surface when it comes to
authenticated testing um you can kind of
see that here with the iOS apps but if
we scroll down here to the bottom uh we
start to see here's the American version
and this actually ties to the dot or the
app. Starbucks there uh but then we've
got the the Singapore version here we've
got the Japanese version as well we've
got a Korean we've got a Chinese one uh
a a German one here so uh a lot of
different options for us to come in and
go through the same testing we're still
going to be testing the same boundaries
because these applications are going to
look very similar but it's entirely
possible that we may find
vulnerabilities in the Singapore version
of the Japanese one that would not be uh
available in our uh American version of
the application because that one gets a
little bit more attention or has just
had a lot of testing I want to reiterate
idor testing is incredibly difficult
through automated systems you
essentially have to build your own
system that has context of the
application uh so it is very difficult
for even the the Starbucks security
teams to find all of these
vulnerabilities and they're really going
to rely on uh bug Bounty researchers
like ourselves to go and do this manual
testing to understand the application
and be able to identify areas where
they've failed to uh enforce uh
ownership of these objects correctly so
like I said we're going to start with
the Singapore version of this here so
we'll go ahead and get that opened up
we'll come back and look at this program
here in a bit uh but you can see and the
reason I like the Singapore version as
well it's actually still in in English
um so makes it a little easier although
I do tend to recommend uh looking at
non-english programs because they are
tested a bit less uh by the English
researchers or American researchers
rather but before we get
started we're going to go ahead and open
up our
notes uh so let's make a directory
call it video
whoops nice I can spell it right and uh
we'll do touch and uh idor notes. MD and
then we'll go ahead and open up our vs
code here if you were not taking notes
for doing idor and access control
testing I mean honestly this goes for
any type of bug Bounty research but
especially for uh ID doors and access
controls if you're not taking notes
you're just not going to be successful
um you may stumble into a couple
vulnerabilities but I'm just being
honest this type of testing and again
this is why uh some people don't find it
as fun as as others um it can be quite
tedious but you need to keep notes to
understand what you've tested how
exactly they're identifying the object
in the back end um we'll see as we go in
a little bit further but um notes are
mandatory for this type of testing uh so
I I just can't emphasize that enough and
that's what we're going to be
demonstrating here so uh we'll go ahead
and start out by doing
Starbucks uh we'll do Singapore and then
idore testing right there just give it a
simple title and I always start in the
beginning by putting a section for
pointers and uh if you haven't heard me
talk about pointers before pointers are
I call them signs as well but it's it's
anything in the application that uh can
possibly be used for another
vulnerability or uh tells me
that the uh development team the
security team is not uh following best
practices and this is something that I
could possibly use later in the future
so I always put this up at the top here
and I'll go through you know as I as I
find them I'll go through and pick out
some pointers there uh and then let's
see we just leave that blank for right
now or maybe we'll just put like a
number one for when I find it and now
let's create our next session which is
going to be accounts because the first
thing we need to do for testing idors is
we need to go in and create create a
couple accounts so let's come back to
our machine
here and uh I'm going to go ahead and
hit join now and we're going to be using
our we are hacker one email to do this
right because that's anytime you're
registering for accounts uh to do bug
Bounty research through a hacker one
program you should always register using
our we hacker One account you can use
plus notation which we'll look at in a
second here to make sure that that uh or
to register for multiple accounts then
make sure that they can identify that
it's a test account delete them if
necessary uh yeah so uh we can fill this
out with whatever we like I'll start
with mis and uh we'll go Harrison
Richardson uh my birthday this time is
going to be July and uh put myself back
in 56 there um here so you can see we've
got a couple accounts that I've done uh
with testing now for this I'm going to
go R ds0 in uh so my we are hacker One
account or email rather rather is my
hacker one username now it's a throwaway
account but uh that is one that I own uh
and then we are haacker one.com so with
this we can use plus notation to create
multiple separate accounts that are all
going to go back to this one uh box
there so I'll do a plus and then I'll go
demo one for anybody that doesn't know
this is ignored when uh anything with a
plus and after that is ignored uh when
sending the email so the email would
just go to arson wacker 1.com
but this plus notation these additional
characters allow us to create multiple
different accounts within the
application itself um and then mobile
number is not required for my password
I'll just generate one there that'll be
fine and then we do not want to do a
physical at least I don't have a
physical one here we'll just do a
virtual card go ahead and sign up I am
not a robot this time but I would
understand why you would think I am and
I'm not angry about the
question that all of
them maybe ah I got it on the first try
okay let's go uh sure yeah we will
update and save that here why not and
make it a little easier in the
future and what should happen is they're
going to send there we go uh a
verification link was actually sent to
hacker 1 which was later forwarded to uh
my account there so we'll go ahead and
click okay we'll need to validate that
but we want to go ahead and get one more
account set up here so uh let's do that
we're going to go ahead we'll do miss at
this time and this is going to be
Richardson Harrison it's a good thing
about having two last names they are interchangeable
interchangeable
apparently uh yeah maybe I'm born in 57
and now we go and click on this again
we'll do number two and I'm actually
going to keep the same password there
just to make it easier uh unless I have
doesn't let's see I've tried to do that
and it's made it more complicated for
myself so I'll tell you what instead
we're just going to generate a secure
one there and should be the same one
down there okay then we just save them
both do not have a physical card don't
need a referral ID right now it's going
to let me click there we go all right
here fire hydren right there I is that a
fire hydrant I don't think so right
they're trying to trick me oh that's one
right look at that one hiding down
there ah and then one right in the
middle come on that's enough that's got
to be it okay I did it we will update
that as
accounts okay perfect now let me go
ahead and come up here and we will look
for those emails to come through
through
and they did so I can actually pull that
down here real quick just so we can see
it uh yep so we have a verify my email
button right there I'm going to
rightclick and copy that link address
bring this back up
here and we will actually open that here
within our browser so this will be the
first one although actually I think this
is the second one we did but that's fine
okay that has been validated
and I'm going to come up here we'll copy one
one
here okay
perfect so now we'll go ahead and close
both of these out we can consolidate
just being here and now we have our
option for demo number one and demo
number two so let's move over here and
we'll go ahead and start filling out our
that account there and I'll give it some
space we'll paste again and we know that
we have demo to now I can put the
passwords in here and I may end up doing
that later but honestly it's not a big
deal we don't necessarily need that
because what's important here is uh just
differentiating between the two and
we're going to start to pick out how
these accounts are being identified by
the system that's really a lot more
important than the the passwords or
anything else so uh anyway we'll get
logged into the first one here and
apparently I got to do a bunch more of
this probably have to skip through these
in the thing no it's not no NOP no no
think we're good maybe
okay hopefully I don't have to keep doing
doing
that okay great so we are logged in and
uh let me go ahead and get bur sweep
brought up here that's
good we will get our proxy running and
and I'm going to reload this again to
give us some
traffic there it
goes and let's go ahead and set our
scope as well so we'll do an advanced
scope and we'll just say anything with
Starbucks in the domain whatsoever do a
simple Rex check that should be fine uh
and then we'll hide
anything not involved with that and okay
so now we have a very large application
it looks like we can see index.php looks
like it's a PHP application um if we
click on it as well let's see what
information we can get from
walizer uh react front end so uh you
know not as impactful for us when we're
looking at idors but good to know uh net
backend uh so
potentially I don't know not a ton of
implications for idors I mean we would
expect there to be a lot of things
happening on the server side which could help
help
us but yeah not a ton of of great
information there so but that's totally
fine what we need to start doing first
of all let me move this out of the way
here what we need to start doing first
of all is identifying how the
application is uh pulling larger data
sets and and validating the user identif
identifying the user and typically the
easiest way that that is done is with uh
some type of a session token or a jot
with data store or something like that
so the first place that I'm going to
look is the cookies here and we need to
find somewhere within the application
where we think that this mechanism is
being used um and I mentioned this
earlier the profile section this is
always a a great uh option here so let's
even if we can come in here to the uh
proxy so here we can see let's just send
repeater so here you can see we're
sending a get request to this rewards
profile profile and within this request
we have a whole bunch of data now
somewhere on the back end the
application is using the data contain in
here to determine most likely it's
happening on the back end to determine
uh what user we are um and actually one
of the first things we need to figure
out is is that happening on the back end
of the front end because a net would
tell me it's probably happening on the
back end but a react uh because they're
using react maybe it's having a lot more
API calls right when I come back here to
the proxy I see a ton of these
additional uh get requests to JavaScript
files and things uh so it's very
possible that even though we have a net
app that net uh application is or that
piece of it is just loading the core Dom
and then a bunch of JavaScript is
happening to dynamically populate this
and one easy way to do that is to come
through and see you know we see some of
my personal information here so if is it
in the initial response or not if it's
not then it's probably react and API
calls that are pulling this information
so I'm just going to type in Harrison uh
okay and it
is let's see let's give us a little more room
here so we do see it echoed there in the
response so there is a mechanism on the
back end that is identifying what user
we are by some type of ID most likely
unless there's something contained in
this where we can just directly control
it and at that point we have reflected
input and we could test for cross-site
scripting and things like that but that
would be pretty surprising almost
certainly what's happening is there is a
value within these cookies or somewhere
else but there's really not anywhere
else so probably in the cookies that is
being used on the server side to
identify what user I am so here's the
user ID and then from that user ID pull
from the data base my first name my last
name this Mister here my birth date all
these additional uh pieces
that are coming through and that so
we've identified an area where a a
unique identifier is being used to pull
a larger subset of data that is your
opportunity to test for indirect object
references um so let's see if we can
figure out how exactly that's happening
um and we do that by just getting rid of
these cookies or anywhere else that we
think the data might be uh until we have
the smallest possible HTTP request that
will still allow us to access this data
and then hopefully from there we can
summize how exactly the application is
identifying us uh and then we can Target
other users so uh first let's get rid of
this looks like an anti-c surf token and
just to check uh let's go ahead and send
this again and see if we have any issues
uh it doesn't look like we do let's see
Harrison is still coming up it is uh in
fact we'll leave that and I'm going to
set this to autoc scroll so it'll be
easier to test um but that's very
interesting so I'm going to come back up
here to my pointers and my first pointer
is going to be uh C surf token doesn't
appear to be
to SL profile by the way I'm also
curious to know if this is case
sensitive or not because that uh would
be an interesting Quirk of that but
anyway sorry I digress um so what I'll
do now is again this doesn't have
anything to do with indirect object
references currently but I will continue
to test other endpoints and this may
turn into uh the Cerf token is
completely useless uh I don't know if
that's ever going to be helpful in my
testing in the future but I want to make
sure that I know that uh and and have
that in my disposal uh depending on what
I find in the future uh okay so if we
look through these there's really two uh
cookies that are standing out to me
right we've got this off uh token here
which appears to be just a random
sequence and then we've got this access
token which is very clearly a Json web
token right you've got the ey you've got
a string you've got ey so the dot
delimiter and then finally you've got
another dot uh down here followed by o
interesting followed by a very short
signature as well which tells me that
this could it's I don't think it can be
rs256 or elliptic curve I think this
would have to be
hs256 which is a symmetric encryption so
um you know I don't want to put the card
before the horse but just by glancing at
this it looks to me like we have a Json
web token that could contain our user ID
that's being used to pull this larger
subset of data so that's where my mind
is going and then this authentication
token is probably just something that uh
determines whether or not uh we're
authenticated to the application at all
right so we have authentication here and
then we have authorization coming
through the access token um I don't know
this for sure we're going to have to do
some testing to find out um but the
first test that we can do is let's get
rid of all the other cookies and just
find out if this works or
not and it does and we're still getting
our Harrison doesn't seem to be any
major variation between the two so um
that tells me at least that I'm on the
right track so the next thing I want
want to do is I'm going to move away
from burp for a second I'm going to go
into my
browser I'm going to open up my browser
tools and go into the storage here for
Firefox um basically going in looking at
the cookies and uh specifically I want
to see which ones are uh session token
and which ones have uh HTTP only Flags
or you know valuable flag on here so uh
interesting so so we only have two
cookies that have the HTTP only flag and
typically these are going to be put on
any type of uh
valuable uh cookie that that the
developers don't want attackers to get
access to um we see the access token
which we saw before we also see this uh
SE surf token which did not seem to do
anything at least on that specific
endpoint so
um that's interesting because I don't
see the off token here it's also
interesting that they would go through
the the you know trouble of adding this
HTP only flag but I don't know maybe you
just don't need ceser for there because
it's not the not an actual form
submission that's probably the answer
but where is our off uh oh it's down
here okay so this is our session token
and our session token does not have an
HTTP only flag on it so that is a big
big big pointer here uh let's go back to
our notes um big big pointer okay so two
session token and then in parentheses
I'll put off so we know what it looks
like what is it it's a off equals blah
blah blah blah
blah does not have HTTP only FL okay so
again we're not moving this is leading
me more towards like a cross site uh
scripting uh you know type of thing so I
want to avoid going down that path but
uh these pointers are certainly starting
to tell a story right if the surf token
is implemented but isn't actually
validated and we also don't have an HTTP
only flag on this uh session token then
there would be no reason if we would got
a basic cross-site scripting that we
couldn't weaponize that by sending a
payload that you know grabbed the
victim's uh off token here and used it
to send a request through a uh a SE surf
you know and uh that's what's called a
session riding attack you're essentially
leveraging an active session uh when the
US user executes the payload to be able
to perform actions on behalf of the
victim a lot of times they don't even
realize it's happening um but not
specifically in scope for idor testing
but we're starting to put together a
picture of whether or not uh I guess if
the team is following best practices um
this to me says that this application is
worth my time if if we're already
picking up on some misconfigurations
like this then we're almost certainly
going to have some deeper systemic
issues going on within this
application so let's go back over to burp
burp
again and now we have these two so let's
let's dig into the Json web token
because this this uh off token here I'm
assuming if I get rid of it let's just
test this out real
quick now we've got a 302 most likely
being redirected to the login page yes
so we've got a 302 and the location is
rewards login so because we have removed
that off
token and if we come back this appears
to be working now so okay
so again the the assumptions that I've
made up until this point have been
correct this token uh identifies
authentication um we also have this
access token here so I can assume at
this point that this access token uh
this jot Json web token contains the
user ID and data in it so um let's look
at that first in the payload here we'll
collect that and let's see what it
contains and immediately I'm seeing a
lot of identifiers right our name ID you
know this is uh almost definitely going
to be some type of user ID that's being
pulled uh this subv value you know could
also be something you know these seem to
match so are they just copying the name
ID over from the sub or vice versa um
but this could potentially be something
that's sequential whenever you're
looking for indirect object references
for idor vulnerabilities uh the ideal
scenario is that you have some type of
uh cyclical predictable number pattern
right so if let's say the first name ID
was one and at this point there have
been what is it 8,800 327 users so if
our user two that we created is
88003 and then something close to this
maybe like 335 or something if multiple
other ones were created in between um we
can look at this as a fantastic
opportunity for an idor um the
unfortunate side of or the unfortunate
thing with that is it's contained in a
Json web token and a Json web token is
uh signed that's what this third value
is after the uh second delimiter that
that dot um this is a signature that is
designed to guarantee the Integrity of
the data within uh within this data
store within the jot so me as the
attacker in order for me to uh you know
come in and change change this to uh
let's say if the victims is 335 right
instead of 327 for these final numbers
here um in order for me to successfully
try to access that victim's data I first
have to bypass any uh validation or any
controls they have where they are
checking this signature to determine if
this data has been tampered with um
there's several different ways that I
can do that and uh typically when I'm
doing idor testing I'll go and do a
couple of those probably avoid the more
complicated ones but the first thing
that we can look at and I mentioned this
earlier is what is the uh signature what
what encryption is being used to
generate the signature now this is a
very short signature so I'm almost
certain if we come in and open this up
there you go we're going to see hs256
hs256
hs256 is a uh symmetric encryption it is
not an asymmetric encryption so um first
of all this is not commonly used so my
first question is why are they using
hs256 is it something that they just
haven't put a lot of emphasis on or is
this not really too valuable and this
was just the easiest way to do it but
I'm hoping that the reason this is here
is just because this is an older
implementation and it's vulnerable to
some newer types of attacks um you know
we can brute force it potentially Etc
but um anyway so let's go and do a
little bit of testing here to find out
whether or not they are validating this
um so the first thing we want to see
is well we we want to know if we can
downgrade this we can try to do some
brute forcing but first of all is it
validating this signature at all you
know when we send this we uh up until
this point we're making the Assumption
it's grabbing the uh Name ID or one of
these values from here and uh using that
to pull the the larger subset of
data is it even validating the signature
before it grabs that value it's entirely
possible that it's not and the way I can
test that is just by dropping off one of
these characters here and send that
again and here we see they're not so
this signature does not appear to be
validated so if we're correct up until
this point and any of these uh values in
here are being used to grab that data
set we can potentially come in and make
changes to these so let's actually see
what happens if I change this to just an
eight and come in and apply that change
there so that has encoded this here
let's make sure to get rid of the
unnecessary percent 3 Delta and then
we'll send that and see if it's any
difference we're not getting any
difference there we still see our
Harrison um so maybe that's not the
value that they're working off of uh
let's come up here we'll highlight it
again um maybe it's not the name ID
maybe it's this uh sub as well let's
apply that we'll come over here and get
these um and we still have the Harrison
so uh it's not going to be one of those
two it looks like um so let's look at
some of the other options here because
again we're trying to figure out what
unique code is being used to pull the
larger data set doesn't appear to be
Name ID doesn't appear to be sub based
on what we know could it be this jti
right um and this shows where indirect
object references can become more
challenging depending on the complexity
of the ID that's being used to access
the data um if it's just sequential
numbers like we see here then it's very
easy to just guess those or throw some
random one in but if you have uh what's
typically called like a guid in here or
an md5 some some type of complex unique
hash these can be much more difficult to
guess so if I were to come in here and
do uh you know a b instead and apply
that it's going to be much more likely
that I'm actually accessing a yeah we're
still getting the Harrison there um it'd
be it's much less likely that I'm
actually accessing a valid uh user
object on the back end and there kind of
in lies the problem as well we don't
know if this is actually not working or
we don't know if it has some type of
fail open type of thing you know maybe
it goes in and checks you know checks
these IDs first but then if the IDS
don't exist then uh it'll default to I
don't know if there's a uh email address
and here there's an email address so
maybe it defaults that maybe that's what
they're using um in fact we can go and
try demo two in here and apply that
let's go and close these out here and
we'll just test it out real quick but no
we still see Harrison as the first name
not the last name so that is not looking
um yeah so we don't know if this is if
the idor is not working through here
um or if it's got some type of fail open
system we don't know if identified the
correct uh way to pull this uh uh data
out we really don't know
so we have the option here um if we
wanted to go and log into our other
account and grab this information we can
in fact let's go ahead and start with
getting those so it's going to be easier
to to test I'm going to have to get a
valid jot not one that I've been messing
with here but let's close out of this
we'll refresh this here our proxy is's
going to
grab grab that again where' we go here we
go okay I'm going to go ahead and grab
our access token here we'll copy it and
J.O okay here we see our hs256 we don't
need to worry about that down there but
we're going to go ahead and grab this
notes and we'll go ahead and add that in
there for our first user and now we can
see most likely
uh one of these values or a combination
of these values is being used to
identify uh that larger data set so um
let's go ahead and I'm going to open an incognito
incognito
window and we'll go back to the
this and now we'll go ahead and get
2
see if I can get this on the first try
oh come
on I
disagree I thought I did it okay on the
first one I just sign that right there
fun all right so now we've got Miss
Richardson Harrison and on the other one
we have Mr Harrison
Richardson should be very easy to test
between the two do we have we do have
everything running through burp for both
of these so if we come back up we should
get our second jot here right here I
think my accent just really came out on
all right and here is the data for our second
user okay and if we look here definitely
cyclical on the name IDs right
definitely predictable 8800 327
88329 um so I'm certainly hoping that
this name Name ID is involved in
accessing that data somehow at least
somewhere in the application so uh okay
now we've got some information on the
accounts we need to go back and do a
little bit more research into that
specific mechanism here but before we do
that let's go ahead and get another
section set up here so let's come down
in fact let's do two more sections now
let's go ahead and start with mechanisms
mechanisms
and then we're going to come down and
create another one that is going to be objects
objects
right we'll say both of those um so we have
have
a mechanism that we're looking at here
and in fact we've got a couple different
mechanisms here each of those or each of
these on this page is going to be an
opportunity to get an indirect object
reference so before we go back and do
any more testing let's start taking uh
inventory of what different options we
have here so the first that we see is we
have this personal information section
right and multiple different mechanisms
Within These so let's see what that
entails um we already know that when we
load this page here we're going to have
a a some type of a request or something
is being made to read data there so uh
let's start with a read endpoint there
and this is a get request to
to
the rewards profile section here let's
put that there and we'll just call this
uh three personal information
right that'll work there um so we have
that section to go in and read we also
have the ability to update here so that
is possibly that's almost you know okay
let's open this up and we'll go ahead
and send one
through and we'll just come over here
test we run update there okay our
profile has been updated ah and if we
can catch
it so now if we come back over to our
notes uh we also have an update and
that's what we always want to do first
we're identifying the mechanisms and
then we're identifying what aspect of
crud is is happening here so create read
update and delete and then how that's
actually happening so now we have an
update mechanism and I'll send this to
repeater just so it's a little easier to read
read
um we have a post request to the same
endpoint and including that data is
going to cause an update on the back end
there so uh update is equal to a post
here
okay so those are two good ones to start
with and in both of these cases so with
our G request here that's gross uh in
our git request here which is reading
the data and then our post request which
is modifying the data or updating it
there still needs to be something within
this request that is being used by the
application to identify that larger data
set so it's taking an ID it's taking
something and using that to say okay
which user is this and then either
returning the data here in the first
instance or modifying the data in the
second instance here let's go ahead and
send this as well um so let's see let's
Minify the this one the same way we did
the other one it would be very easy to
assume that both of these are using the
same ID or same way to identify that
larger data set but there's no reason to
assume that you know um here in this one
it's it's almost definitely going to be
the access token the only other option
here or some data stored in the access
token the only other option would be
this off token here and it's entirely
possible that this off token uh is
storing data somehow and or is even just
being used to say hey what user is this
off token tie to and then that's how
we're going to update that that's
actually a fairly secure implementation
so that's what we would not uh hope
would be happening here but if we look
at the update obviously we have the same
option here too but then we also have
uh several their values down here you
know and this email stands out to me
specifically and the reason for that is
this is an update mechanism so the data
in here should only be data that can
potentially be updated but if we go back
profile we don't actually have the
ability to modify this I know you can't
really tell but I'm I can't modify it
through this here um now who knows maybe
if I come and just modify if the email
on this section then it will change as
well and that could be uh an example of
an uh insufficient uh input validation
but we don't know we don't know um but
one of the things I'm definitely going
to test is do they include this here
because it was easier the team just
chose to go a different way than they
did with the get route and they said
well let's include the email anyway and
we'll do a you know find one by email or
whatever that's that's the value that
they're pulling in there uh indirect
object references don't have to use some
type of ID value to to pull the data
back could be any type of data and a
username or an email is certainly an
opport certainly a
possibility so um let's go back here and
get the couple more mechanisms because
what we do have we have this uh password
update mechanism here and we can
actually we'll go through that for right
now just because that's probably more of
an authentication uh bypass type of
thing um but we can go ahead and enter
enter a new email so let's copy this down
down
here and I'm going to do demo to test
here and we'll go ahead and hit change
well now let's see
what okay here we go we'll send this to
the repeater as
well maximize this to make it easier to
see uh so here and we do still have our
off and our access token so let's make
sure that we don't need either one of
those over here um now we have just the
new email we have a the verification
token and the requested Wiis so
um we know for a fact that this email is
not being used to find our email because
this is the new one that's going to be
placed it's not like it has both in
there um so you've got to think that
once again it's either identifying our
user object through the access token or
po potentially through the off token
there so let's get this documented as
well and this will be a good set of
mechanisms to start with so this again
is an
update and we're going to post doesn't
matter what it's updating I mean it does
for impact but not for what we're
looking at here all we're looking out is
to identify
mechanisms that are a potential to test
for idor and then our next step is going
to be to really dig down and identify
what exactly is it using to identify uh
that larger data set for each one of
these so let's come back and start here
start with our number one and we'll just
call this
update and then we can add more
information once we find that it's going
to be worth our time uh okay so we'll
send this one again we're still getting
the Harrison information there we know
that if we don't send the off token
we're going to get redirected to the
login page we know that nothing is being
validated in this access token we know
that we can send it whatever information
now we can continue to go through and
test each of these different values to
try to figure out uh which one is being
used and that's our ideal scenario
that's what we hope but the first thing
we have to do here is we have to test to
make sure that this access token is
being used at all and a very simple test
to do with that is we can just go and
delete it and see what happens so if we
send this through again we see that
we're still getting our Harrison
response um we can continue to get rid
of some more uh headers and everything
but the unfortunate case for us and
fortunate case for Starbucks is while it
looked like we had a vulnerability in a
Json web token that was not being
validated what we were actually seeing
was a Json web token that was being sent
to an endpoint it doesn't necessarily
need to be sent to um and I wanted to
make sure I highlighted that first of
all because I run into that all the time
when I'm testing for idors but
also there's so many times when I talk
to researchers who are first starting
out where they find something like that
where the jot isn't being validated or
anything and they you know your heart
starts beating you go oh I found this
vulnerability and everybody starts
thinking the same thing they start
thinking oh what if somebody else has
found it I don't want it to be a
duplicate I've got to go and write
something they start rushing and and
everything starts running through your
head very
quickly I cannot emphasize this enough
anytime you find anything like that the
best thing you can do is step away from
the uh computer for a minute to breathe
and to you know just think about it go
back and test it in multiple different
angles um because of situations like
this right we it was very easy as we
were starting to test to to feel like we
were on to some oh here's a
misconfiguration they're they're not
validating this Json web token and it
really turns out to be something as
simple as uh the Json web token is not
needed to be sent here uh but that's not
a vulnerability that they're sending it
there it's you know doesn't have any
impact at all we can assume um we don't
know we may want to go in and test but
uh not at this early in the game so at
this point I I am very confident that
cooking work with
me so that is the worst case scenario
for me as a bug Bounty researcher um
that is a very secure implementation now
it's a single point of failure if
somebody were able to get this off token
they can go in and start accessing the
data but it's not going to help us for
indirect object testing so at this point
I'm going to go ahead and drop this one
off uh and we can continue our testing
moving on to this update
now obviously the first thing we should
do is get rid of the access token and do
the same test if we are still able to
update our profile and by the way we
need to make sure that this is actually
updating it may just tell us profile
updated every time sucess equals true as
a way to throw off researchers
so I'll come back and Che change this to
have in here we do have the the test
right there so let's go ahead and send
that and we're still getting a 200 so it
doesn't look like that access token
cookie is being used at all right now
doesn't mean it's not being used in the
application but at least not in this set
of mechanisms um now we don't know for
sure that the off token is what's being
validated here though because we do have
have additional data down here so let's
see how much we can minimize of this how
much can we get rid of it let's try
first of all let's just drop off this
email because actually I'll tell you the
first thing we do because we can test
two in one time uh I'm going to add uh
what is this demo 2 arson test I'm just
going to add that string there and we
can send this again and if we get
another 200 which we did profile updated
equal true um now we can see if the
email was actually updated so now we're
testing an indirect object reference to
see you know I would assume if it was an
idore it would have told us this user
doesn't exist so I think we've already
ruled that out from this email parameter
but we can also test to see if it's
actually updating the email when it's
not supposed to so if I refresh this
here and we see that we still have demo
2 test so uh while it said that our
profile was updated it did not actually
modify the email through the separate
mechanism there uh so yeah let's see we
can go ahead and you know it's possible
it's almost certainly not going to be
identifying the data set uh from any
value that we can change um you know so
let's see we can drop off the email
entirely here uh I just don't see a lot
of other options um we can get rid of
this here I don't know if that'll have
any impact we can get rid of this but
everything else is really these Bine
values uh the selected value these are
all things that can be changed in the
form so if we send this again it appears
to be working let's test to make sure
one more time that it is actually
working by changing our first name to
test again if we come back over here
refresh we should just see Mrs test
Richardson no we don't have that
that
interesting oh unable to okay so we have
deleted something that is causing it to
token is it the email if it's the email
okay let's get rid of this first of all
then send this
again and we have a failure without the
email did we have a failure with the
email we we did not so okay let's just
try test again with this so we have to
email but it allows us to update
values it does allow us to values no
matter what the email
is so is it dropping off the plus
notation and that's the reason we're not
getting this let's try changing the we
are hacker one or adding in just
something in the middle there and
sending that um we're still allowing it
to be updated let's change this back to
Richardson this here still allowing it
updated yep still fine so it looks like
this email value just needs to be there
but why so that's going to be another
pointer um let's copy this
URL and uh I just don't know what that
see let's see must
body again I don't know what that means
I don't know what that means um anyway
we can come back to that later at least
we've identified that um I feel pretty
confident that this is using the off
cookie as well um you typically see
mechanisms in specific groups using the
same uh value whatever you want to call
it um not always again you want to go
through and test them all but that's
where my mind is going that's what I
think is happening
here um one other thing that I may do
because this is a post request uh and
I'm not going to do it now but
potentially in the future so let's do
this um I'm going to come down
here I'm going to put a question mark on
that and then I'm going to put an
additional note here to uh fuzz for
hidden parameters uh because when you're
doing idor
testing you know a a request like this
um may be using this off token here but
it may have multiple different layers of
conditionals to determine what uh what
id is actually going to be used to
access the data set um so it's possible
that it tries to use the email first and
then if it's somehow not validated
correctly or anything then it will
default over to the a toen maybe there's
other code in the back end we don't know
about where it will try and look for
other values you know maybe it looks for
this name ID value and we can include
that in there
um maybe maybe there's some type of
logic to where the access token is
checked first but then it has to be
validated and then if it's not validated
it defaults over to the off token if
that's the case then we can test for jot
vulnerabilities or try to get a valid
jot sign because it's
hs256 and we can bypass it that way but
we don't know if that's a good use of
our time because that access token may
just be some Legacy cookie that isn't
used at all anymore and we spend all
that time trying to get around it find
out it has no impact in the application
so we need to do a lot more work
understanding the application before we
can start to to move in at that so but I
do have a followup there let's go ahead
and take a look at the change email as
well I'll leave that here let's send
this um okay and we're actually getting
information reflected in there too
that's good um so it looks like it's
just checking to see whether or not it
exists let's go back over here send that
does that allow us to change okay and
then does that
match up
here should see this change to demo to
and we do okay
okay
so is this email at some point there is a
a
uh database query being used with this
email you know it's being passed
somewhere in there to say does this
exist or not uh but once again we don't
know if that's what's being used to
actually change in fact it's almost
certainly not not what's being used to
change there's going to be another call
uh again I'm assuming from this off
cookie now uh we can test that by
getting rid of the access token let's
just see real quick uh our error should
say it already exists it does okay so
most likely what's happening here is
just like with the there's this off
cookie is being used to identify the
user object that's being modified
there's then a call being made to the
database to check and see if this exists
and then there's a conditional to say if
it if it does exist return this Json
with the message if it does not exist
let's go ahead and update this user data
or this user object and store that back
in the database there so uh once again
we we have the same possibilities here
just because it has a body but but
almost certainly we're going to be using
that off token there um okay let's talk
about a few of the objects that we found
we haven't found a ton yet in fact we
haven't seen one directly reflected at
all this is probably the closest that
we're getting to understanding what our
user object looks like so just to start
I'm going to do
uh user
object and for now we'll just go ahead
copy this over uh ideally we can
actually get versions of it and because
this is using react there's definitely a
chance that we can open up like the
developer tools and get access to that
um but it's just a little bit too early
in this um so let's come back and look
at a couple different
mechanisms come back into here so we
have all of these personal information
let's take a look at this payment method
as well uh and I I would
think even though we didn't see it
happen or we didn't see anything loaded
up here there should be uh a read
request coming through when this is
loaded so we click on this button we can
see here that we're still on the rewards
profile so this is all happening in the
Dom see our our URL is not changing um
so there should be an API request that
comes out when we click that or
initially when we load the page to get
all of the current payment methods that
there there definitely should be a read
somewhere let's come over into the
see oh looks like it happens initially
see we don't have any new calls that are
coming out when we do that so um let's
go ahead and reload this page
proxy and this looks like the one
rewards API card so now we're going to
an API um and we're getting just Json coming
um and we're getting just Json coming back so that's very good all right let's
back so that's very good all right let's send this to
send this to repeater uh just initially looking at
repeater uh just initially looking at this this kind of reads to me like
this this kind of reads to me like there's it's a completely different
there's it's a completely different mechanism you know the fact that it's
mechanism you know the fact that it's under an API in point um yeah this could
under an API in point um yeah this could be an entirely different mechanism which
be an entirely different mechanism which means it could have an entirely
means it could have an entirely different way of validating that ID
different way of validating that ID that's pulling the larger data
that's pulling the larger data set the other thing that we can add here
set the other thing that we can add here is uh we do have another object even
is uh we do have another object even though we can't see it yet and that's a
though we can't see it yet and that's a payment card object because that's what
payment card object because that's what this is doing this is somehow doing a
this is doing this is somehow doing a get request to go in and pull those
get request to go in and pull those payment cards so let's send this
payment cards so let's send this again and we get an empty array back
again and we get an empty array back which makes sense uh as well as just
which makes sense uh as well as just letting us know the API call successful
letting us know the API call successful we're going to do the
we're going to do the same type of thing here send that let's
same type of thing here send that let's make sure we can still get
make sure we can still get it we can no differences in the response
it we can no differences in the response uh okay so now we have this read which
uh okay so now we have this read which is a get request to our mpoint
is a get request to our mpoint here also interesting that we have the
here also interesting that we have the question mark at the end of that it
question mark at the end of that it looks like it's already set up to have
looks like it's already set up to have get parameters included so we can
get parameters included so we can attempt to fuzz for parameters
attempt to fuzz for parameters there so now we can make the assumption
there so now we can make the assumption that just like before uh this is a get
that just like before uh this is a get request going to this endpoint that is
request going to this endpoint that is using this off token uh going back to
using this off token uh going back to the database and saying well let's get
the database and saying well let's get the user from this off token and then
the user from this off token and then identify all of the the cards there um
identify all of the the cards there um we can test that again by just removing
we can test that again by just removing the access token and we'll try and send
the access token and we'll try and send this again
this again here and now we get an
here and now we get an unauthorized uh very interesting so that
unauthorized uh very interesting so that tells us that unlike the the other
tells us that unlike the the other mechanism we were looking at this
mechanism we were looking at this payment card uh information or this
payment card uh information or this payment card mechanism at least when
payment card mechanism at least when it's uh reading the cards that exist is
it's uh reading the cards that exist is using something within this access token
using something within this access token uh so now let's come back and identify
uh so now let's come back and identify this first so uh
this first so uh through access token
through access token cookie and we do know that for sure we
cookie and we do know that for sure we don't have to put a question mark on
don't have to put a question mark on that at least for this one here
that at least for this one here um now
um now one of our pointers is coming back into
one of our pointers is coming back into play uh or I didn't actually have that
play uh or I didn't actually have that listed as a pointer but I would have
listed as a pointer but I would have before so let's go ahead and add that
before so let's go ahead and add that now
now um we identified
um we identified earlier that this Json web token is
earlier that this Json web token is using uh
hs256 that's probably spelled wrong but whatever symmetric encryption uh with
whatever symmetric encryption uh with hs256 um should have added that as a
hs256 um should have added that as a pointer before but now here's an example
pointer before but now here's an example where it comes into play because if they
where it comes into play because if they were using the off token it didn't
were using the off token it didn't really matter but now well we need to go
really matter but now well we need to go back and see first of all is it being
back and see first of all is it being validated uh because before it didn't
validated uh because before it didn't look like it was being validated we
look like it was being validated we thought that we had found a
thought that we had found a vulnerability but it wasn't being used
vulnerability but it wasn't being used so in the same
so in the same vein we're going to do that same test
vein we're going to do that same test we're going to remove one from the
we're going to remove one from the signature and send it again and now
signature and send it again and now we're getting an unauthorized so before
we're getting an unauthorized so before where it looked like what we had found
where it looked like what we had found as a Json web token that wasn't being
as a Json web token that wasn't being validated instead it just wasn't being
validated instead it just wasn't being used but here where it is being used
used but here where it is being used it's being
it's being validated
validated so let's
say I think we need to include jot with hs256 on
hs256 on there uh signature is being validated
there uh signature is being validated um
um I think the next step would be to go
I think the next step would be to go through and test you know uh test jot
through and test you know uh test jot vulnerabilities but I'm going to put a
vulnerabilities but I'm going to put a pin in that right now um because it's
pin in that right now um because it's kind of to the left of what we're doing
kind of to the left of what we're doing this is the uh second worst I would
this is the uh second worst I would argue uh possible uh type of
argue uh possible uh type of implementation that we could test for
implementation that we could test for for idors for indirect object references
for idors for indirect object references right because this requires us to find
right because this requires us to find another vulner ability most likely
another vulner ability most likely before we can even uh you know get get
before we can even uh you know get get anything to work before we can even
anything to work before we can even begin testing idors now that may not be
begin testing idors now that may not be the case uh let's actually come in here
the case uh let's actually come in here real quick and just see if there's
real quick and just see if there's anything new in the data because that
anything new in the data because that would be interesting but it doesn't look
would be interesting but it doesn't look like it right name sub if we come in and
like it right name sub if we come in and compare each of those to what we have in
compare each of those to what we have in here I don't think we're no I don't
here I don't think we're no I don't think we're finding anything new so
think we're finding anything new so um yeah we could go through it's en
um yeah we could go through it's en entirely possible that the uh validation
entirely possible that the uh validation for the signature is failing but then if
for the signature is failing but then if we have a valid signature then maybe I
we have a valid signature then maybe I don't know maybe we can still change
don't know maybe we can still change some of the values and it's not very
some of the values and it's not very likely though because it really what's
likely though because it really what's going to be happening on the back end is
going to be happening on the back end is they're going to be running just a DOT
they're going to be running just a DOT verify from some type of a library here
verify from some type of a library here um the most likely way to bypass this is
um the most likely way to bypass this is if they're allowing for like a none you
if they're allowing for like a none you know so I could come in here and put
know so I could come in here and put none apply this is just a very simple
none apply this is just a very simple test I wouldn't yeah I wouldn't expect
test I wouldn't yeah I wouldn't expect it to work there um and actually we
it to work there um and actually we would want to remove this as well um so
would want to remove this as well um so yeah that would be a very simple test uh
yeah that would be a very simple test uh for the Json web token but uh for now
for the Json web token but uh for now I'm going to put a pin in that um at
I'm going to put a pin in that um at least for the read mechanism there and
least for the read mechanism there and we can come back if we don't find
we can come back if we don't find anything and we could test for jot
anything and we could test for jot vulnerabilities first but this is not
vulnerabilities first but this is not the uh ideal situation for an indirect
the uh ideal situation for an indirect object reference so I think we'll we'll
object reference so I think we'll we'll move on here now if we come
move on here now if we come back and and uh this our demo two let's
back and and uh this our demo two let's go back to our demo one go to the main
go back to our demo one go to the main one
one here quick payment methods now we do
here quick payment methods now we do have the ability to add a new card so
have the ability to add a new card so let's go ahead and get burp on this side
let's go ahead and get burp on this side here and uh I'm going to try to click on
here and uh I'm going to try to click on that see what
that see what happens so it's asking us what type of
happens so it's asking us what type of card I'll select an American Express
card I'll select an American Express [Music]
[Music] and okay we've all right we've been
and okay we've all right we've been redirected to a login page so I think we
redirected to a login page so I think we just got logged out I don't know if that
just got logged out I don't know if that is indicative of what we're actually
is indicative of what we're actually looking for here let's see if we can get
looking for here let's see if we can get logged back in I'm going to have to play
logged back in I'm going to have to play the capture game again which is always
the capture game again which is always fun hopefully that's
right I wouldn't expect us just get logged out I think the session just got
logged out I think the session just got um got invalidated there let's
um got invalidated there let's see okay we do the read hit add new card
see okay we do the read hit add new card hit
hit confirm and let's see what
happens seems to be taking quite a bit of time we still do this get request
of time we still do this get request here and it's coming back with
here and it's coming back with nothing I'm not sure why we're being
nothing I'm not sure why we're being hung
up try that one more time try
Visa looks like we're just not having any luck with this mechanism here so
any luck with this mechanism here so let's do this let's go back I don't
let's do this let's go back I don't think we would have done anything to to
think we would have done anything to to bork our account yet but let's try
bork our account yet but let's try running the same thing here this is the
running the same thing here this is the last test that I'm going to do at least
last test that I'm going to do at least with this mechanism um ah we did get a
with this mechanism um ah we did get a post request here okay send this to
post request here okay send this to repeater not sure what was happening
repeater not sure what was happening with the other account but that should
with the other account but that should be fine um o and we have completely
be fine um o and we have completely redirected to this gateway.
redirected to this gateway. americanexpress.com this is an entirely
americanexpress.com this is an entirely different application so this is where
different application so this is where our testing is going to stop this is not
our testing is going to stop this is not within scope we could go and see if
within scope we could go and see if American Express has a bug Bounty
American Express has a bug Bounty program and if this is in scope and then
program and if this is in scope and then we could possibly link the to which is
we could possibly link the to which is fun but not for this use case here so uh
fun but not for this use case here so uh I will go ahead and go to our repeater
I will go ahead and go to our repeater here and let's just see as we have this
here and let's just see as we have this initial request um transaction ID is
initial request um transaction ID is also possibly something that we could do
also possibly something that we could do for an indirect object reference but
for an indirect object reference but we'd have to see how that could be
we'd have to see how that could be used um
used um [Music]
[Music] um yeah this looks like it's a mechanism
um yeah this looks like it's a mechanism to basically accept this data and in
to basically accept this data and in return give us a payment URL that's
return give us a payment URL that's going to handle the redirect so uh not
going to handle the redirect so uh not seeing anything with this request that
seeing anything with this request that is involved with uh accessing or
is involved with uh accessing or modifying an object or any data that's
modifying an object or any data that's stored in the database it's looks like
stored in the database it's looks like it's just transforming user control data
it's just transforming user control data uh to handle redirect so we're going to
uh to handle redirect so we're going to leave this one off the table uh and
leave this one off the table uh and we'll go ahead and move away from this
we'll go ahead and move away from this mechanism here uh you know it might make
mechanism here uh you know it might make a note about that that is uh let's just
a note about that that is uh let's just do that looked like a create right so
do that looked like a create right so the create uh it starts with a post
the create uh it starts with a post request to
here but then we're also going to note uh no data access
uh no data access modification simply and
modification simply and redirect uh from what I can see at least
redirect uh from what I can see at least for the purposes of of this demo um I
for the purposes of of this demo um I would certainly want to dig into this
would certainly want to dig into this for a possible you know server side
for a possible you know server side request forgery although pretty unlikely
request forgery although pretty unlikely what's more unlikely is maybe we can use
what's more unlikely is maybe we can use this to get access to a transaction we
this to get access to a transaction we shouldn't have access to um and in fact
shouldn't have access to um and in fact that's one of the thing I'll do just for
that's one of the thing I'll do just for the testing of idors is it does look
the testing of idors is it does look like right
like right now that we have a
now that we have a transaction object so that that's
transaction object so that that's something that we can potentially
something that we can potentially interact with in the future and just to
interact with in the future and just to identify that I'm going to pull out this
identify that I'm going to pull out this key value pair of the transaction
ID and we can have that for the future although I don't expect to do much with
although I don't expect to do much with it
it currently okay let's go ahead and go
currently okay let's go ahead and go back to the page oh and I've it doesn't
back to the page oh and I've it doesn't like something that I've done so that's
like something that I've done so that's good um I'm still logged in though so we
good um I'm still logged in though so we can go back to our
can go back to our account and we have everything here so
account and we have everything here so okay
okay moving back over to our notes uh we'll
moving back over to our notes uh we'll skip through the payment methods we've
skip through the payment methods we've gone through the personal information
gone through the personal information identified a few of the mechanisms there
identified a few of the mechanisms there um I want to find one more to test
um I want to find one more to test before we move on to access controls in
before we move on to access controls in a different application um so let's see
a different application um so let's see I guess do we have is this payment cards
I guess do we have is this payment cards or are these gift card these look like
or are these gift card these look like gift cards okay so this is probably
gift cards okay so this is probably something's going to be a little bit
something's going to be a little bit easier to manage and play
easier to manage and play with it's also a fantastic Target to
with it's also a fantastic Target to show impact um cuz this is money right
show impact um cuz this is money right these cards are uh real world money at
these cards are uh real world money at least to the company at least to
least to the company at least to Starbucks and so if we can find a way to
Starbucks and so if we can find a way to access a gift card that we shouldn't
access a gift card that we shouldn't have access to to modify a gift card
have access to to modify a gift card that we shouldn't have access to access
that we shouldn't have access to access to all of these gift cards are going to
to all of these gift cards are going to be represented as a gift card object on
be represented as a gift card object on the uh the back end there so we can go
the uh the back end there so we can go ahead and add that as well um I'm just
ahead and add that as well um I'm just going to get rid of the payment C cuz I
going to get rid of the payment C cuz I don't think we're going to yeah we'll
don't think we're going to yeah we'll leave it in there but uh
and I'll just make a note that uh this is must add legit card uh added through
is must add legit card uh added through external service right so just makes it
external service right so just makes it more difficult to test um with that
more difficult to test um with that being said I love testing for stuff like
being said I love testing for stuff like this even though you sometimes you have
this even though you sometimes you have to use a real card and you may even have
to use a real card and you may even have to like charge real money to it um that
to like charge real money to it um that means that the scope of individuals that
means that the scope of individuals that are testing is incredible L low now that
are testing is incredible L low now that uh is very difficult for people that are
uh is very difficult for people that are you know just getting in or don't have
you know just getting in or don't have you know a little bit of expendable
you know a little bit of expendable income um but if you do this can be a
income um but if you do this can be a good thing to to test as well but we'll
good thing to to test as well but we'll go inad and test the gift cards here and
go inad and test the gift cards here and let's start by figuring out what the
let's start by figuring out what the mechanisms are right so we'll we'll come
mechanisms are right so we'll we'll come up here to the top
up here to the top and we'll just call gift cards um so it
and we'll just call gift cards um so it looks like there is a way to read
looks like there is a way to read initially so let's go ahead and pick
initially so let's go ahead and pick that one out
that one out almost certainly going to be a get
almost certainly going to be a get request when we first load this
request when we first load this page uh or not I mean
page uh or not I mean this certainly looks like uh an API call
this certainly looks like uh an API call to the gift card looks like the same
to the gift card looks like the same type of rewards API that we were seeing
type of rewards API that we were seeing earlier um let's refresh this again and
earlier um let's refresh this again and see what
see what happens all right so we do a get request
happens all right so we do a get request to this
to this cards but unlike the profile page
cards but unlike the profile page let's just see this looks like one of
let's just see this looks like one of those identifiers there let's see if
those identifiers there let's see if that's being reflected anywhere it's not
that's being reflected anywhere it's not so I think this is different from the
so I think this is different from the profile page in that I don't know if any
profile page in that I don't know if any specific data is being accessed on the
specific data is being accessed on the back end this looks like it's just
back end this looks like it's just loading a
loading a Dom kind of scrolling through to see if
Dom kind of scrolling through to see if I'm wrong but that's what it looks like
I'm wrong but that's what it looks like is happening so I'll send this to the
is happening so I'll send this to the repeater anyway I don't think this is
repeater anyway I don't think this is actually accessing any information I
actually accessing any information I don't think this is uh an attack Vector
don't think this is uh an attack Vector for an indirect object reference I think
for an indirect object reference I think this is just loading the page and then
this is just loading the page and then let's see we have these different
let's see we have these different JavaScript calls and eventually yeah
JavaScript calls and eventually yeah eventually we have this post request
eventually we have this post request whoops this post request that seems to
whoops this post request that seems to be the actual read here you know I can
be the actual read here you know I can get rid of this for right now if I send
get rid of this for right now if I send this
through going to the API and what was the other one that we had that was like
the other one that we had that was like this
this it was the payment card methods was
it was the payment card methods was using the rewards API and now we have
using the rewards API and now we have get that and this was actually using the
get that and this was actually using the access token so I wonder if anything
access token so I wonder if anything going to the API leverages the access
going to the API leverages the access token and anything otherwise uh is
token and anything otherwise uh is leveraging the off cookie and which case
leveraging the off cookie and which case why is that do they have two separate
why is that do they have two separate patterns where the apis are you know
patterns where the apis are you know individual lambas or microservices that
individual lambas or microservices that are out there to handle something
are out there to handle something whereas the core there's still a core
whereas the core there's still a core application that exists that's using
application that exists that's using this off cookie we're always looking to
this off cookie we're always looking to identify complexity we're always looking
identify complexity we're always looking to identify Tech debt uh that's where
to identify Tech debt uh that's where you find the bugs find the places that
you find the bugs find the places that the uh development teams are too busy or
the uh development teams are too busy or they're unable to uh kind of go in and
they're unable to uh kind of go in and and architect everything initially so
and architect everything initially so they've had to sew some different things
they've had to sew some different things together within that complexity and
together within that complexity and within that kind of hacky sewing those
within that kind of hacky sewing those pieces together is where we can find our
pieces together is where we can find our vulnerabilities um that's what I'm
vulnerabilities um that's what I'm hoping so let's come in and test this
hoping so let's come in and test this here first of all it looks like we have
here first of all it looks like we have our gift card object which is great CU
our gift card object which is great CU as we continue to test for idors we want
as we continue to test for idors we want to start getting a very clear picture of
to start getting a very clear picture of what those objects look like and this is
what those objects look like and this is our ideal scenario you typically find
our ideal scenario you typically find those much more from uh apis than you do
those much more from uh apis than you do from you know things we were looking at
from you know things we were looking at earlier uh yeah we got a card ID card
earlier uh yeah we got a card ID card number um image for the card that's kind
number um image for the card that's kind of fun too some ways we can play with
of fun too some ways we can play with that uh Etc and then you've got the the
that uh Etc and then you've got the the larger query
larger query where you have some general meta data
where you have some general meta data for the user um so these look like they
for the user um so these look like they could be coming from the user object
could be coming from the user object maybe the user object has total cards
maybe the user object has total cards status Etc um this could just be from
status Etc um this could just be from the query itself though that may not be
the query itself though that may not be what so anyway but we do know that we
what so anyway but we do know that we have our gift card object and we know
have our gift card object and we know that we have a way to uh interact with
that we have a way to uh interact with this gift card so first our read appears
this gift card so first our read appears to be from a post request this time uh
to be from a post request this time uh that is going to this Point
that we have a filter page number page so there's nothing within the body that
so there's nothing within the body that tells me that uh this is what they're
tells me that uh this is what they're using to access the the larger data set
using to access the the larger data set of the gift cards in the back end um
of the gift cards in the back end um let's go ahead and get rid of everything
let's go ahead and get rid of everything here that we don't need it'll be
here that we don't need it'll be interesting to see if the uh this cross
interesting to see if the uh this cross site request forgery cookie actually has
site request forgery cookie actually has any impact to this endpoint because this
any impact to this endpoint because this is an endpoint where potentially it
is an endpoint where potentially it could make a difference um we've also
could make a difference um we've also got these new cookies in here
got these new cookies in here performance cookie cook accepted true uh
performance cookie cook accepted true uh not going to mess with those right now
not going to mess with those right now have the accepted cookie true hold on
have the accepted cookie true hold on that
that back I'm going to copy the we're going
back I'm going to copy the we're going to add these as a pointer as well that's
to add these as a pointer as well that's just something that's interesting
um think that's good right there um you know cookie accepted so maybe if
um you know cookie accepted so maybe if cookie accepted equals false it will use
cookie accepted equals false it will use something else assuming this one uses
something else assuming this one uses the access token which is what I'm
the access token which is what I'm expecting but let's send this one more
expecting but let's send this one more time let's make sure this work oh we're
time let's make sure this work oh we're unauthorized again uh okay well let's
unauthorized again uh okay well let's make sure that it's not just cookie well
make sure that it's not just cookie well no everything's unauthorized okay why is
no everything's unauthorized okay why is everything unauthorized let's come back
everything unauthorized let's come back here let's refresh again is it just my
here let's refresh again is it just my session that's timed
session that's timed out looks like it
out looks like it maybe I forget which one I was on I
maybe I forget which one I was on I think this is number
fun good it's always good when I get it the first
time all right let's see now we'll go ahead and get rid of that go back to the
ahead and get rid of that go back to the proxy I don't know if it's just a
proxy I don't know if it's just a coincidence that that happened or if I
coincidence that that happened or if I actually caused that let's resend this
actually caused that let's resend this again we've got our 200 again and now
let's get rid of everything but these send this again okay now we're still
send this again okay now we're still getting 200 I was wondering if that had
getting 200 I was wondering if that had something to do with the C- surf token
something to do with the C- surf token doesn't seem like it does let's make
doesn't seem like it does let's make sure these other two aren't needed here
sure these other two aren't needed here they're not okay so now we have our off
they're not okay so now we have our off token and our access token again where
token and our access token again where did our notes
did our notes go so we come down
here again because this is going to the API I'm going to make the assumption
API I'm going to make the assumption that it's identifying uh basically using
that it's identifying uh basically using the access token as uh an off token and
the access token as uh an off token and it looks like it is there again so we
it looks like it is there again so we have that same code
pattern we need to make sure that this is true right but it looks to be the
is true right but it looks to be the same thing that's going on down there so
same thing that's going on down there so the access token we have the
the access token we have the same uh type of token it looks like yeah
same uh type of token it looks like yeah hs256 all the same type of data uh is
hs256 all the same type of data uh is the signature being validated it is so
the signature being validated it is so yes this looks like the exact same type
yes this looks like the exact same type of mechanism that we were sending our
of mechanism that we were sending our request to uh before so um okay so once
request to uh before so um okay so once again with these gift cards uh at least
again with these gift cards uh at least with this read endpoint we're going to
with this read endpoint we're going to need to find a way to bypass this jot in
need to find a way to bypass this jot in order to uh be able to do that so let's
order to uh be able to do that so let's come back over here and let's see what
come back over here and let's see what we can do with this let's hit manage
we can do with this let's hit manage because that's most likely a way where
because that's most likely a way where we want to find uh create we want to
we want to find uh create we want to find update and then ideally we want to
find update and then ideally we want to find delete as well and there can be
find delete as well and there can be multiple instances for each of
multiple instances for each of those man this
those man this uh I really haven't tested this app too
uh I really haven't tested this app too much for it to be uh giving me so much
much for it to be uh giving me so much trouble here let me see if I cause some
trouble here let me see if I cause some type of a conflict let's hit manage
again maybe I'm just being impatient but I don't think I
am no okay we'll tell you what we'll come back over here we have my cards do
come back over here we have my cards do we have the ability to create one first
we have the ability to create one first looks like we do test uh although we may
looks like we do test uh although we may need a valid code
here looks like we need a Val code but we do have a create
we do have a create mechanism uh let's come back over to the
mechanism uh let's come back over to the proxy here and that is coming through
proxy here and that is coming through the rewards card ad so different than
the rewards card ad so different than before we'll do a create equals a post
before we'll do a create equals a post request to rewards card ad and now as
request to rewards card ad and now as we're starting to get a better picture
we're starting to get a better picture of the application I now find myself
of the application I now find myself asking is this going to validate with
asking is this going to validate with the off cookie because we're back on
the off cookie because we're back on these rewards Etc end points and the
these rewards Etc end points and the response this response actually is uh
response this response actually is uh Json so it's acting more like a an API
Json so it's acting more like a an API endpoint um but yeah let's come in and
endpoint um but yeah let's come in and see so we'll send this again see if we
see so we'll send this again see if we can do this multiple times we can
can do this multiple times we can um let's get rid of everything
um let's get rid of everything but the off token we got a lot of
but the off token we got a lot of additional headers going here that we
additional headers going here that we haven't seen before uh we also have
haven't seen before uh we also have values down here we have this
values down here we have this transaction ID maybe this transaction ID
transaction ID maybe this transaction ID is somehow tying us back um I'm not sure
is somehow tying us back um I'm not sure let's make sure let's get rid of
let's make sure let's get rid of these and then let's at least make sure
these and then let's at least make sure that it's not the access token which is
that it's not the access token which is uh the one that we I believe is only
uh the one that we I believe is only being used for these API end points and
being used for these API end points and it looks like that's correct yeah um
it looks like that's correct yeah um which you know
which you know let's go ahead and copy this over see
let's go ahead and copy this over see all Cookie um that kind of makes sense
all Cookie um that kind of makes sense right because we don't
right because we don't uh we don't necessarily as we're
uh we don't necessarily as we're creating an object we don't necessarily
creating an object we don't necessarily need to find out if there's anything
need to find out if there's anything that the owner has access to we just
that the owner has access to we just have to tie it to them now if we can
have to tie it to them now if we can create a gift card under somebody else's
create a gift card under somebody else's account that'd be interesting but it's
account that'd be interesting but it's not a a huge amount of impact there so
not a a huge amount of impact there so uh I could continue to fuzz this and try
uh I could continue to fuzz this and try and find out is it something to do with
and find out is it something to do with the transaction ID uh you know something
the transaction ID uh you know something to do with this value down here but it
to do with this value down here but it really even if we're able to get an idor
really even if we're able to get an idor through uh creating a gift card there's
through uh creating a gift card there's not a lot of impact there whereas if we
not a lot of impact there whereas if we can update or even delete or anything
can update or even delete or anything we're going to have a lot of additional
we're going to have a lot of additional impact there so I'm going to start
impact there so I'm going to start moving in that
moving in that direction um but again in order to do
direction um but again in order to do that I have to get access to the manage
that I have to get access to the manage page I think uh I don't have the ability
page I think uh I don't have the ability to get with that again maybe I just need
to get with that again maybe I just need to be a little bit more patient here
to be a little bit more patient here let's see
let's see is something just not
working oh we have another post request over here as
over here as well oh this is very interesting hold on
well oh this is very interesting hold on let's come over here so send this to the
let's come over here so send this to the repeater as well I don't I don't know
repeater as well I don't I don't know why this isn't loading but um this is
why this isn't loading but um this is different than what we had before right
different than what we had before right so we got these Rewards Card search but
so we got these Rewards Card search but this looks like another read as well but
this looks like another read as well but now we're using a card number
that's pulling a lot of the same information we got card
ID maybe has a little bit of additional information but I don't know if that's
information but I don't know if that's true printed name Auto
reload yeah maybe just a couple other Bine values but not much uh but we can
Bine values but not much uh but we can see here so anytime we have some type of
see here so anytime we have some type of an identifier like this this is most you
an identifier like this this is most you know this is uh very interesting for uh
know this is uh very interesting for uh for an indirect object reference you
for an indirect object reference you know because I'm immediately thinking
know because I'm immediately thinking like why else would they include this
like why else would they include this card if it wasn't on the back end if it
card if it wasn't on the back end if it wasn't saying okay we'll get the card
wasn't saying okay we'll get the card number value from the request body and
number value from the request body and use that to go into the database and
use that to go into the database and access this larger data set um let's go
access this larger data set um let's go ahead and delete this
ahead and delete this here and let's come in and delete the
here and let's come in and delete the rest of these just so we get down to the
rest of these just so we get down to the off and the access
off and the access token
token okay so in the other case this is
okay so in the other case this is another
another read equals a post request to and in the
read equals a post request to and in the other case it was using this access
other case it was using this access token it still may be you know it's
token it still may be you know it's entirely possible that this body is not
entirely possible that this body is not doing anything or is somehow just being
doing anything or is somehow just being recorded
recorded somewhere uh I don't know but uh let's
somewhere uh I don't know but uh let's see what happens when we get rid of the
see what happens when we get rid of the access
access token we do get an unauthorized
um so it's possible that it's using some data in here to pull those um but let's
data in here to pull those um but let's see what happens if I just add a five
see what happens if I just add a five over here and send that now we have a
over here and send that now we have a bad request invalid Starbucks card card
bad request invalid Starbucks card card details okay so to me that is as clear
details okay so to me that is as clear as possible that this is an endpoint
as possible that this is an endpoint that is using this card number to Access
that is using this card number to Access additional data this is a much more uh
additional data this is a much more uh optimal uh type setup for indirect
optimal uh type setup for indirect object references because now we can
object references because now we can potentially access additional data from
potentially access additional data from a gift card that we shouldn't otherwise
a gift card that we shouldn't otherwise be able to access now I don't see a well
be able to access now I don't see a well I mean if we get the card number does
I mean if we get the card number does this card ID somehow help us um we can
this card ID somehow help us um we can get the card amount we can certainly
get the card amount we can certainly read some information and show some
read some information and show some impact so I would say uh this is a very
impact so I would say uh this is a very common type of indirect object reference
common type of indirect object reference test so let's let's actually do this
test so let's let's actually do this right now um let's go back over right
right now um let's go back over right now we're logged into who which one are
now we're logged into who which one are we
at right now I'm on demo one so we want to go get the gift card number for demo
to go get the gift card number for demo two still don't know why that's not
two still don't know why that's not loading but we'll figure that out in a
loading but we'll figure that out in a bit uh let's go to cards
here so now we come over here to the proxy we should see our search
proxy we should see our search and our card number for
and our card number for this should be different that's the same
this should be different that's the same card what is
that this one is 3926 what is our
3926 what is our other why do these look like they have
other why do these look like they have the same card
the same card number is that what's causing an issue
number is that what's causing an issue do we have some type of collision here
do we have some type of collision here or am I just loog into the same account
or am I just loog into the same account on both of these which is probably much
on both of these which is probably much more
likely this is demo I think I was on demo one in the other one wasn't
demo one in the other one wasn't I yes I was okay good I'm going to leave
I yes I was okay good I'm going to leave that in the video anyway because it
that in the video anyway because it shows uh some of the difficulties of of
shows uh some of the difficulties of of testing this um but yeah let's get into
testing this um but yeah let's get into demo
demo 2 uh yeah yeah yeah I'll find all the
2 uh yeah yeah yeah I'll find all the fire hydrants maybe I'll
fire hydrants maybe I'll try they hid in one again no good all
try they hid in one again no good all right we'll get into the correct account
right we'll get into the correct account number two and now if we go to cards we
number two and now if we go to cards we should be should see a separate card
should be should see a separate card number here 3949 we do that's very good
number here 3949 we do that's very good come over here and yeah we have
3949 oops missed the zero there let's just double click copy we'll come back
just double click copy we'll come back over to repeater so now if we paste this
over to repeater so now if we paste this in we have a different card number we
in we have a different card number we are completely different accounts now
are completely different accounts now we're still user accounts so this is not
we're still user accounts so this is not we're we're not accessing an additional
we're we're not accessing an additional mechanism that we shouldn't be able to
mechanism that we shouldn't be able to access which would be the access control
access which would be the access control violation that we're going to look into
violation that we're going to look into in a second um we're just trying to
in a second um we're just trying to access a gift card object from the
access a gift card object from the database that we should not be able to
database that we should not be able to access uh because this is sensitive data
access uh because this is sensitive data to the individual user so if I send this
to the individual user so if I send this we now have a bad
we now have a bad request and it just tells us it's an
request and it just tells us it's an invalid Starbucks card but most likely
invalid Starbucks card but most likely what's happening there and I you know I
what's happening there and I you know I can go back and confirm but most likely
can go back and confirm but most likely what's happening is this is a generic
what's happening is this is a generic error message so there's going to be a
error message so there's going to be a try catch and they go in and see does
try catch and they go in and see does that user have access to this object and
that user have access to this object and then the answer is no and so that's the
then the answer is no and so that's the reason that we get this 400 um there may
reason that we get this 400 um there may be something that I'm missing there but
be something that I'm missing there but probably not uh so let's go ahead and
probably not uh so let's go ahead and come down here but that is a much more
come down here but that is a much more as I mentioned before it's a much more
as I mentioned before it's a much more optimal uh position for us to be testing
optimal uh position for us to be testing for idors because we have just a strict
for idors because we have just a strict unique identifier in that card number
unique identifier in that card number it's something that can be guessed
it's something that can be guessed because they're sequential um at least
because they're sequential um at least to a point it's something that can be
to a point it's something that can be exfiltrated in other places to get
exfiltrated in other places to get additional information so this is a
additional information so this is a great great option for an idore whereas
great great option for an idore whereas some of these others where we're using
some of these others where we're using off cookies and the access tokens that
off cookies and the access tokens that are uh validating the Integrity can be
are uh validating the Integrity can be more difficult um so now we're going to
more difficult um so now we're going to come and grab
come and grab this uh let's see Json
this uh let's see Json body and then we'll just put that right
body and then we'll just put that right there all right so I think that's going
there all right so I think that's going to be good for part one at least uh I
to be good for part one at least uh I wanted to have this portion of the video
wanted to have this portion of the video go through a deep dive of exactly how we
go through a deep dive of exactly how we test for ID doors on a public program
test for ID doors on a public program part two we're going to come back and do
part two we're going to come back and do the exact same thing but this time we're
the exact same thing but this time we're going to be looking for Access Control
going to be looking for Access Control violations um so we're going to be
violations um so we're going to be looking for a different type of program
looking for a different type of program we we still need a program that allows
we we still need a program that allows for authenticated testing and and gives
for authenticated testing and and gives us a way to go in and do uh registration
us a way to go in and do uh registration with multiple different accounts but
with multiple different accounts but we're also going to be looking for an
we're also going to be looking for an application that has uh some type of uh
application that has uh some type of uh access controls implemented that's
access controls implemented that's almost certainly going to be role-based
almost certainly going to be role-based access control so that's where you're
access control so that's where you're going to have let's say an admin and
going to have let's say an admin and then a user account uh as well um but
then a user account uh as well um but ideally we can have multiple different
ideally we can have multiple different roles you know the the more complex the
roles you know the the more complex the role system is within an application the
role system is within an application the more opportunities we're going to have
more opportunities we're going to have uh as attackers to be able to uh bypass
uh as attackers to be able to uh bypass those restrictions um you know if you
those restrictions um you know if you have something as simple as like I said
have something as simple as like I said just a user and admin it can be fairly
just a user and admin it can be fairly easy to uh you know cement those
easy to uh you know cement those boundaries but uh what about if you have
boundaries but uh what about if you have uh things like an an auditor role where
uh things like an an auditor role where maybe the auditor is only allowed to
maybe the auditor is only allowed to read data but they have to read data
read data but they have to read data across multiple different uh accounts
across multiple different uh accounts whereas uh an individual user uh would
whereas uh an individual user uh would typically only have access to One
typically only have access to One account um there you have a bunch of
account um there you have a bunch of additional complexity where you have uh
additional complexity where you have uh the auditor should be able to access
the auditor should be able to access these read mechanisms and uh be able to
these read mechanisms and uh be able to bypass boundaries that a user is
bypass boundaries that a user is restricted to but they won't have access
restricted to but they won't have access to these write mechanisms and these
to these write mechanisms and these update mechanisms that's something that
update mechanisms that's something that we see in a lot of applications if you
we see in a lot of applications if you have very granular users where uh one
have very granular users where uh one user there's like a typical user role
user there's like a typical user role and then there's also a power user role
and then there's also a power user role you know we can go through and make sure
you know we can go through and make sure that that the typical user can't do
that that the typical user can't do anything that the power user can that's
anything that the power user can that's something that especially if they have
something that especially if they have similar names in the roles sometimes uh
similar names in the roles sometimes uh you know there can be simple reject
you know there can be simple reject checks to determine the role or anything
checks to determine the role or anything instead of really being sure about it it
instead of really being sure about it it just all depends on it but but uh the
just all depends on it but but uh the additional amount of or the more
additional amount of or the more complexity we can find the better um
complexity we can find the better um we're looking for Tech debt right we're
we're looking for Tech debt right we're looking for situations where the
looking for situations where the developers had to rush to put hopefully
developers had to rush to put hopefully multiple different Cod code bases
multiple different Cod code bases together um we're always looking for
together um we're always looking for complexity like I said um for for uh
complexity like I said um for for uh Access Control violation specifically if
Access Control violation specifically if we can find an application that has some
we can find an application that has some type of policy based role system so
type of policy based role system so that's where instead of having this
that's where instead of having this hierarchy of of roles where you have
hierarchy of of roles where you have like user and power user and admin and
like user and power user and admin and udor and everything like I was talking
udor and everything like I was talking about a second ago uh instead they have
about a second ago uh instead they have let's say a user and an admin but then
let's say a user and an admin but then within that they can have very granular
within that they can have very granular permissions about specific action
permissions about specific action specific mechanisms that they can take
specific mechanisms that they can take uh that's just adding so much more
uh that's just adding so much more complexity to the point that it can
complexity to the point that it can become almost impossible for the uh Team
become almost impossible for the uh Team to actually validate all of those
to actually validate all of those boundaries uh and that's where we come
boundaries uh and that's where we come into play we're going to do the same
into play we're going to do the same type of thing we're going to take very
type of thing we're going to take very good notes um and uh be able to identify
good notes um and uh be able to identify each one of those mechanisms what each
each one of those mechanisms what each role should be able to do in regards to
role should be able to do in regards to that mechanism and then we will manually
that mechanism and then we will manually test each one um so again hopefully that
test each one um so again hopefully that gives you a a good deep understanding of
gives you a a good deep understanding of indirect object reference testing and uh
indirect object reference testing and uh a good shallow understanding of Access
a good shallow understanding of Access Control violation testing and how the
Control violation testing and how the two can be separate like I said in part
two can be separate like I said in part two we will do a deep deep dive into
two we will do a deep deep dive into access controls if you have any
access controls if you have any questions comments anything at all uh
questions comments anything at all uh please let me know in the comments hop
please let me know in the comments hop into the Discord um yeah other than that
into the Discord um yeah other than that I will see everybody soon have a great
I will see everybody soon have a great weekend
weekend cheers
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
