Overview
This course on Broken Access Control Testing aims to teach learners the fundamentals of hacking and bug bounty hunting. By the end of the course, students will be able to identify and exploit access control vulnerabilities in web applications. The course covers topics such as different types of Insecure Direct Object References (IDOR), Request methods, Local File Inclusion, Path Traversal, Static pages, Parameter Manipulation, Logic Flaws, and more. The teaching method includes modules, readings, and practical examples. This course is intended for individuals interested in cybersecurity, ethical hacking, bug bounty hunting, and web application security testing.
Syllabus
Intro
Module Trainer
Module Outline
Module Reading
Introduction to Access Control bugs
Simple numeric IDOR
Bugcrowd VRT Rating
GUID based IDOR (cont.)
Hash based IDOR
Request methods
Local File Inclusion and Path Traversal
Static pages & "forceful browsing"
Static files
Direct function calling
Parameter Manipulation
Logic Flaws
Auxiliary Tips
Likely parameters/keyword to check for IDOR
COTS, OSS, and paywalled applications
Create a function matrix for MFLAC
Burp Intruder
References
Taught by
Bugcrowd