[Part I] Bug Bounty Hunting for IDORs and Access Control Violations

Authenticated Testing on Starbucks' public bug bounty program on HackerOne, searching for IDORs and Access Control violations. 00:00 - IDOR vs Access Control Violation 07:29 - Choosing a Program 09:55 - Taking Notes is Mandatory 12:06 - Registering Accounts 18:59 - Locating Attack Vectors in Cookies 25:31 - Identifying Important Cookies 26:45 - How to Use Pointers 28:30 - Testing for IDORs in JWTs 39:14 - Identifying Mechanisms 46:40 - Avoiding False Positives 57:11 - Identifying Objects 1:00:14 - Testing for IDORs in APIs 1:10:30 - Grouping Mechanisms By Client ID Process 1:23:01 - Best-Case Scenario for IDORs Hire Me! - https://ars0nsecurity.com Watch Live! - https://twitch.tv/rs0n_live Free Tools! - https://github.com/R-s0n Connect! - https://www.linkedin.com/in/harrison-richardson-cissp-oswe-msc-7a55bb158/