Finding IDORs with CODE REVIEWS!

preview_player
Показать описание
Hi! I'm a pentester and a bug bounty hunter who's learning every day and sharing useful resources as I move along. Subscribe to my channel because I'll be sharing my knowledge in new videos regularly.

SIGN UP ON YesWeHack:

BUY ME A COFFEE:

SOCIAL MEDIA:

  1. Farah Hawa
  2. idor
  3. hacking
  4. web hacking
  5. code review
  6. owasp
Рекомендации по теме
Finding IDORs with 0:04:34

Finding IDORs with CODE REVIEWS!

Mastering IDOR Vulnerability 0:08:44

Mastering IDOR Vulnerability Hunting: Find IDORs in less than 10 minutes with Autorize!

How to Do 0:22:49

How to Do Code Reviews Like a Human

How to Analyze 1:19:49

How to Analyze Code for Vulnerabilities

Code Review Tips 0:12:08

Code Review Tips (How I Review Code as a Staff Software Engineer)

What does Shubs 0:00:52

What does Shubs pay attention to when recruiting security researchers?

The most common 0:01:00

The most common mistake of beginner security researchers?

Finding Security Vulnerabilities 1:16:38

Finding Security Vulnerabilities through Code Review - The OWASP way

Find My Amazon 2:35:04

Find My Amazon Product AI Sprint

JavaScript Security Vulnerabilities 0:25:05

JavaScript Security Vulnerabilities Tutorial – With Code Examples

How to do 0:58:58

How to do Code Review - The Offensive Security Way

Learning SECURE CODE 0:09:32

Learning SECURE CODE REVIEW!

Code Reviews and 0:12:30

Code Reviews and Pair Programming in Recruitment at Secret Source

How I made 0:23:09

How I made 1k in a day with IDORs! (10 Tips!)

How Senior Programmers 0:13:37

How Senior Programmers ACTUALLY Write Code

Code Review Best 0:58:47

Code Review Best Practices

Code Reviews: Finding 0:09:02

Code Reviews: Finding Refactoring Targets and Selecting One

Finding weakness through 0:06:25

Finding weakness through source code review - Natas06 - Overthewire.org - Walkthrough

5 ways to 0:09:52

5 ways to test for IDOR demonstrated

DrupalCon Amsterdam 2019: 0:44:05

DrupalCon Amsterdam 2019: Find security vulnerabilities through code review

AWS Tutorials - 0:11:47

AWS Tutorials - Code Review using Amazon CodeGuru

Code Review Best 0:15:27

Code Review Best Practices For Software Engineers

Code Review, you 0:46:06

Code Review, you said? - Venkat Subramaniam

'Easiest' Beginner Bugs? 0:31:46

'Easiest' Beginner Bugs? Access Control and IDORs

Комментарии
Автор

Such examples are very helpful to understand what is going on under the hood, thank you!

Antidesigns
Автор

Well, it is more easy to understand if you also demonstrate the attack(practically).

prakharx
Автор

I found an IDOR vuln in our college website just now💀

debarghyamaitra
Автор

VEry Well Explained farah !! We need more IDOR videos !! Sharing this with my frinedss

haanrey
Автор

as an security auditor i would say you are teaching good stuff..

Securityauditor
Автор

Would love to see more content related to code reviews.

mehrabhasan
Автор

to anyone who got confused about the if condition :

if sess != '4eb...04' ( meaning whatever value is not equal to that is true ) && user != 'tom' ( meaning whatever user name you type is also true ) therefore true + true = true and that will prompt the msg "You are not allowed to view this content".

if sess = to '4eb...04' ( meaning sess = false ) && user = 'tom' ( meaning user = false ) therefore false + false = false and that will grant you access
and false + true = false therefore granting you access in this case too.

ramymimouni
Автор

I think you should do more videos like this, It was really helpful

saminbinhumayun
Автор

Not sure if this code was actually vulnerable to an IDOR since it uses the ‘&&’ operator which means both the cookie and user id had to be the correct match. Simply changing the id wouldn’t actually fulfill the access control condition.. the attacker would also need to get the cookie right.

If the conditional statement was written to check whether the cookie OR the user id met the correct criteria, then that would be an IDOR vuln.

Other than that, nice vid

Metavert
Автор

It’s interesting because this is a case of demorgan’s law. It’s very clever to use digital logic properties to train people in security. So ~(A•A) == (~A+~A). It’s very clever. Nice video cutie 😊

justinpeter
Автор

Guys if you have any doubts regarding the IF condition:
The if condition is for not equal to.
So say the sess is something else
And the user is Tom
So sess not equal to "4eb...04" (true)
user not equal to 'tom' (false)
True && false is False.
Therefore the IF condition won't run, that is "You are not allowed to view this content" won't run at all, and the attacker would have the access

zaidarif
Автор

it is using "&&" so it will check for both the I think you did a mistake in telling..!

TheHackersRoom
Автор

Orb crossing the screen from side to side at 0:43

faboxbkn
Автор

there using && so both condition must be true ! idk what your saying

archlinux
Автор

How do you know that the id is not something like a UUID or a random generated strings?

yvesgonzaga
Автор

Hello mam, i am Ritesh, I am new in bug bounty learning i want to ask you that currently i am not good at any of programming language, could you just recommend me which language should i learn that can help me in the journey of bug bounty,
please reply if you found the question answerable.
Thank you

riteshsharma
Автор

This is doglapan 😢, we need part two on this topic..!

manashalder
Автор

You know that the opposite of && would look better with || instead of OR?

justinpeter
Автор

Case study ki vedio bna lo hacking ki or impact of sql

shivammittal
Автор

Code is checking for both cookie_id & username changing one wont achieve anything

huntit