Authorization problem

As all of you know vulnerability of authorization is just a simple vulnerability.

The basic is hackers can do something not allowed like change other user information by changing ID magic (IDOR), have many many types of this bug. And you should focus on what we can mess up here, not on changing some parameter and giving up:)

Today I will give you some experiences of mine

(My English is quite bad if I make a mistake in this blog, please comment below)

Some experiences.Pentest all functions: There are too many bug hunters out there, we should create a different to get bounty and success. Hack all functions you see don’t miss anything (it is so funny if others found easy bugs in that function).Don’t forget javascript: It is foo if you just check the function outside, JavaScript files have many things interesting like hidden endpoints, hidden parameters, internal queries, and many things more. Believe me, you don’t want to miss this:))Don’t give up until you don’t have any idea: One time, I checked a iframe function. I try anything here: SSRF, XSS,… I take hours to break this function, and you know what I found a BAC here that is quite hard to find by black box skill, this wasn’t fixed but the program has accepted (about 1500$)Write a note: Sometimes when you are learning something new and realize have a bug in the past that you don’t know about. But you forgot that program’s name (>ლ), very hurt right, I have missed 3 bugs and one of them is high:(

Hacking is something addictive, I can’t sleep

2. Authorization vulnerability

The best way to check this vulnerability is use Autorize extension (Burp Suite) (How to use)Knowing about other hacking styles, techniques and thinking is very very important. You should read this per day (report, blog, Podcast,…) I give about 8 hours/day to read all that cool stuff;))

I can’t teach you all of the things, but others can. We are a community, we should learn and share knowledge \(￣︶￣*\))