? Access full case study here: https://members.bugbountyexplained.com/how-to-make-money-with-idors-idor-case-study/
? Check out AppSecEngineer, the sponsor of today’s video: https://www.appsecengineer.com
? Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
? Follow me on Twitter: https://bbre.dev/tw

This video is a part of the case study of 187 IDOR bug bounty reports. In this part, I take a look at what types of IDs were used by vulnerable applications and, where relevant, how did the hunters predict them.

Mentioned videos:
https://youtu.be/NtjlGV7Cdvk
https://youtu.be/FzT3Z7tgDSQ

? Get $100 in credits for Digital Ocean: https://bbre.dev/do

Timestamps:

00:00 Intro
00:45 Decimal IDs shorter than 8 digits
01:59 Check out AppSecEngieer, the sponsor of today’s video
3:03 Decimal IDs shorter than 8 digits – continued
4:42 Decimal IDs 8 digits or longer
9:25 Name/email as identifier
11:28 UUID
13:57 Other non-bruteforceable
18:00 Hexadecimal IDs of 8 or more digits
20:35 Other – butforceable
21:50 Hash

Add comment

Your email address will not be published. Required fields are marked *