IDOR - how to predict an identifier? Bug bounty case study

📚 Access full case study here: https://members.bugbountyexplained.co...
📖 Check out AppSecEngineer, the sponsor of today's video: https://www.appsecengineer.com
📧 Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
📣 Follow me on Twitter: https://bbre.dev/tw

This video is a part of the case study of 187 IDOR bug bounty reports. In this part, I take a look at what types of IDs were used by vulnerable applications and, where relevant, how did the hunters predict them.

Mentioned videos:
   • $28k IDOR that broke Apple Shortcuts ...  
   • $5,000 YouTube IDOR - Bug Bounty Repo...  

🖥 Get $100 in credits for Digital Ocean: https://bbre.dev/do

Timestamps:

00:00 Intro
00:45 Decimal IDs shorter than 8 digits
01:59 Check out AppSecEngieer, the sponsor of today's video
3:03 Decimal IDs shorter than 8 digits - continued
4:42 Decimal IDs 8 digits or longer
9:25 Name/email as identifier
11:28 UUID
13:57 Other non-bruteforceable
18:00 Hexadecimal IDs of 8 or more digits
20:35 Other - butforceable
21:50 Hash