IDOR – how to predict an identifier? Bug bounty case study
? Check out AppSecEngineer, the sponsor of today’s video: https://www.appsecengineer.com
? Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
? Follow me on Twitter: https://bbre.dev/tw
This video is a part of the case study of 187 IDOR bug bounty reports. In this part, I take a look at what types of IDs were used by vulnerable applications and, where relevant, how did the hunters predict them.
Mentioned videos:
https://youtu.be/NtjlGV7Cdvk
https://youtu.be/FzT3Z7tgDSQ
? Get $100 in credits for Digital Ocean: https://bbre.dev/do
Timestamps:
00:00 Intro
00:45 Decimal IDs shorter than 8 digits
01:59 Check out AppSecEngieer, the sponsor of today’s video
3:03 Decimal IDs shorter than 8 digits – continued
4:42 Decimal IDs 8 digits or longer
9:25 Name/email as identifier
11:28 UUID
13:57 Other non-bruteforceable
18:00 Hexadecimal IDs of 8 or more digits
20:35 Other – butforceable
21:50 Hash
Add comment