Loading...

Finding Your First Bug: Business Logic Errors

2,136 views

Loading...

Loading...

Transcript

The interactive transcript could not be loaded.

Loading...

Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Oct 9, 2019

Hi everyone, welcome to the first video in my new series "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.

In this video, we'll be discussing Business Logic Errors, a type of bug that targets the logic of a website or app rather than the technical implementation.

0:00 - Theory: what is a business logic error/how to find them
7:09 - Case studies: 8 examples of business logic bugs by complexity
21:28 - Practical Burp: Looking at Flurry an app in scope on the Verizon Media public program

-- Case Studies --
- Response program can create bounty table - $500: https://hackerone.com/reports/460920
- OLO Total price manipulation using negative quantities - $3,500: https://hackerone.com/reports/364843
- Able to manipulate order amount by removing cancellation amount and cause financial impact: $750 - https://hackerone.com/reports/614523
- Gaining unlimited bonus points on websites with WooCommerce Points and Rewards - $150: https://hackerone.com/reports/592803
- Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance - $1,500: https://hackerone.com/reports/574638
- Lack of payment type validation in dial.uber.com allows for free rides - $5,000: https://hackerone.com/reports/162199
- Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature - $2,500: https://hackerone.com/reports/334205 and https://medium.com/japzdivino/harvest...
- Claiming package names in GitLab's automatic package referencer. - $1,000: https://hackerone.com/reports/462503

-- You Should Also Watch --
HOW TO GET STARTED IN BUG BOUNTY (9x PRO TIPS) - STÖK - https://youtu.be/CU9Iafc-Igs

-- Social Media --
- Twitter: https://twitter.com/InsiderPhD

Loading...

When autoplay is enabled, a suggested video will automatically play next.

Up next


to add this to Watch Later

Add to

Loading playlists...