Authenticated Testing on Starbucks' public bug bounty program on HackerOne, searching for IDORs and Access Control violations.
00:00 IDOR vs Access Control Violation
07:29 Choosing a Program
09:55 Taking Notes is Mandatory
12:06 Registering Accounts
18:59 Locating Attack Vectors in Cookies
25:31 Identifying Important Cookies
26:45 How to Use Pointers
28:30 Testing for IDORs in JWTs
39:14 Identifying Mechanisms
46:40 Avoiding False Positives
57:11 Identifying Objects
1:00:14 Testing for IDORs in APIs
1:10:30 Grouping Mechanisms By Client ID Process
1:23:01 BestCase Scenario for IDORs
Discord / discord
Hire Me! https://ars0nsecurity.com
Watch Live! / rs0n_live
Free Tools! https://github.com/Rs0n
Connect! / harrisonrichardsoncissposwemsc7a55bb158