How to get experience with no experience? Have a look at bug bounty programs. Vickie Li demos Insecure Direct Object References (IDOR) and tells us how to get into bug bounty. We also discuss why her book Bug Bounty Bootcamp is a fantastic book to buy if you want to get into bug bounty. Get real world experience today.
// MENU //
00:00 - In plain text!
00:24 - Introducing//Vickie Li
00:58 - Part 1//The Interview
01:01 - Origin//Bug Bounty Bootcamp
03:37 - What are Bug Bounty Programmes?
05:26 - Part Time Bug Hunting?
05:44 - Easy Way to Get Experience
07:45 - Which Bug Bounty Programmes for Beginners?
10:51 - Beginners//Don't Compete with Pros
13:15 - Duplicates as Valid Experience
14:23 - What You Need to Start
14:59 - Linux//Do You Need It?
15:55 - Automate!//Which Programming Language?
18:03 - Beginner Friendly Vulnerabilities
21:17 - Part 2//Exploiting IDOR Vulnerability Demo
21:24 - What is IDOR?
22:51 - PortSwigger IDOR Lab
24:05 - Live Chat IDOR
24:48 - View transcript
25:12 - Burp Suite Intercept
26:05 - What to Look For//IDs Aren't Always Obvious
26:56 - Burp Suite//Looking Through Headers
27:56 - Burp Suite//Repeater
28:30 - Testing View Transcript Again
29:18 - GET Request//Identifying Exploitable Endpoint
30:26 - Modifying GET Request
31:35 - Finding the right headers to modify
33:47 - Why the first attempt didn't work
34:09 - IRL//What You Would Do
34:23 - Password in Live Chat Transcript
35:40 - How to Prevent IDORs
36:01 - IDORs//Worth Pursuing?
39:57 - Bug Bounties//How to Start
41:21 - Learn More!//Vickie's Blog
41:38 - Follow Vickie's Twitter!
41:52 - Thank You & Closing
// Books //
Bug Bounty Bootcamp: https://amzn.to/3K2YDeJ
The Web Application Hacker's Handbook: https://amzn.to/3IZ2RTr
Hacking API’s by Corey J Ball: https://amzn.to/3JOJG0E
Alice and Bob learn application security by Tanya Janca: https://amzn.to/3oMyMij
Automate the boring stuff with Python: https://amzn.to/3N2QuYu
// Videos mentioned //
Nahamsec: https://youtu.be/9vaEwycet90
Corey Ball: https://youtu.be/CkVvB5woQRM
Tanya Janca: https://youtu.be/nyhytT2tRN0
Al Sweigart: https://youtu.be/7iBqoc-DzTQ
// Vickie's social media //
Twitter: https://twitter.com/vickieli7
Website: https://vickieli.dev/
YouTube: https://www.youtube.com/channel/UCjQH...
Medium: https://vickieli.medium.com/
// Connect with David //
Discord: https://discord.com/invite/usKSyzb
Twitter: https://www.twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
YouTube: https://www.youtube.com/davidbombal
// Platforms mentioned //
HackerOne: https://www.hackerone.com/
bugcrowd: https://www.bugcrowd.com/
Intigriti: https://www.intigriti.com/
Huntr: https://huntr.dev/
// Connect with Nahamsec //
Twitter: https://twitter.com/nahamsec
YouTube: https://www.youtube.com/c/nahamsec
Github: https://github.com/nahamsec/Resources...
Discord: https://discord.com/invite/ysndAm8
Instagram: https://www.instagram.com/nahamsec/
LinkedIn: https://www.linkedin.com/in/nahamsec/
Twitch: https://www.twitch.tv/nahamsec
Website: https://nahamsec.com/
// MY STUFF //
Monitor: https://amzn.to/3yyF74Y
More stuff: https://www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here:
[email protected]
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#python #hack #xss