Published On Dec 10, 2023
Authenticated Testing on Starbucks' public bug bounty program on HackerOne, searching for IDORs and Access Control violations.
00:00 - IDOR vs Access Control Violation
07:29 - Choosing a Program
09:55 - Taking Notes is Mandatory
12:06 - Registering Accounts
18:59 - Locating Attack Vectors in Cookies
25:31 - Identifying Important Cookies
26:45 - How to Use Pointers
28:30 - Testing for IDORs in JWTs
39:14 - Identifying Mechanisms
46:40 - Avoiding False Positives
57:11 - Identifying Objects
1:00:14 - Testing for IDORs in APIs
1:10:30 - Grouping Mechanisms By Client ID Process
1:23:01 - Best-Case Scenario for IDORs
Discord - / discord
Hire Me! - https://ars0nsecurity.com
Watch Live! - / rs0n_live
Free Tools! - https://github.com/R-s0n
Connect! - / harrison-richardson-cissp-oswe-msc-7a55bb158
