Live IDOR/BAC Hunting on a Real Target

Added: 2026-05-13

[00:00:00]In this video, I'm going to be testing for ID door and broken access control in this live hunting session. If you don't know who I am, my name is Logan Sack.

[00:00:06]I've been a bug bounter for the last nine months now. I've submitted over 30 reports on hacking when alone. I recently got my first belly bug on the Canadian government. Also, join the private list if you want the JS Recon animation when it drops. I'm seeing it there first. Link in the description below. Basically, what the JS Recon is is what we've been going over recently.

[00:00:23]I've been running this horror recon.py Pi and it's been compiling to get us these results right here. So it created the JS directory, GF out and then some other things like LF out and SF out which is just secret finder and link finder stuff. And now I've been going further and actually getting some results which is what I'm going which is how we're going to be testing for idle and broken access control. This is something I've never done before but I actually think this is a really really good way of doing it. So right here is no hit paths. These are paths that they were in they were found in JavaScript.

[00:00:58]However, they were not found when I had Okay, so these are these are paths that were not hit in my HTTP history. The reason I know this is because I actually used the application like a regular user for about six to 10 now about two to six hours. I just used the application and I had my Kaido HTTP history on and it's been just been capturing requests. So the next thing I did is I loaded up claude code and I had it um use the my Kaido skill and check for every single path and because all the important paths I put here in this folder called LF notes every single important path is here. So I said cloud code look through look at all these paths and then look at my HTTP history and whatever ones you don't see in there put them in here the no no hit paths and then from there these are going to be the paths I want to focus on because these are the ones that are less less likely to show up in the UI because I didn't see them when I was doing my manual reconnaissance. So this is we're going to be looking for broken access control and IDOR.

[00:02:02]So let's get started. Pass from LF notes. I haven't really read this yet cuz I I was really excited to do this. I actually want to do this um live so you guys can see it as well. So we have internal settings, notifications, hit pass. Let's see what's I want to look for stuff developers web hooks invite.

[00:02:24]Okay, this is going to be good flow.

[00:02:26]Note was hit. Note token was hit.

[00:02:29]Specific token in history. Okay, let's just start invite because this is an interesting one. We can do lots of ID door stuff here. We have like recent, email, pending, user, verification. And I still have no idea what validator is.

[00:02:42]No idea. So, what I'm going to do is I don't like to take my notes in here. So, I'm going to go back. Actually, I'll just create another one. Oh crap. I don't like it that way.

[00:02:53]Control shift T. And then I'm going to go back. I'm going to take my notes in the manual recon.

[00:03:06]Okay, now I'm just gonna I don't want to do like that. So, okay. Yeah, inside here.

[00:03:19]That means I'm going to have to have two PS codes open, which is a little annoying, but it's okay.

[00:03:24]So, findings.

[00:03:26]All these findings aren't really anything big. That could have been something but session because I would have no idea how to get the the token that required to make that something. So I guess I'll just here it is. Invite function. Let's just start here.

[00:03:42]Okay.

[00:03:44]Okay. So this was for the second account. So first let's just log in to the second account. Okay.

[00:03:54]which would be here it is.

[00:04:04]Okay. Incorrect email or password, of course.

[00:04:09]Um Huh.

[00:04:12]Try it one more time.

[00:04:15]Nope. Okay. So, I forgot. Wait. No, no, no, no, I didn't. No, I didn't.

[00:04:23]There you go. Okay. Now, this is kind of annoying how it has you do the phone number thing every single time.

[00:04:30]But, you know, it is what it is.

[00:04:34]Okay.

[00:04:40]Okay. So, we're in this account has not been verified yet.

[00:04:45]The verify account thing is really just doing this because it already did have me verify my account. It's just wants to set this up as well.

[00:04:53]So turn on sandbox said to do all testing in sandbox. And I already have my match and replace rule set up which they told you to have right here. Header bug crowd thing on. Yep.

[00:05:05]Now we want to go to settings. We're going to go to team members and roles and see here how I've invited the another account. This one as a viewer.

[00:05:19]So for now, first thing I want to do is I want to check out the oh right here. So we have merchants portal invite resend pending user. So I just want to start first I want to start by hitting these endpoints I haven't hit before. First thing it would just be easier just to delete user. And actually that's curious. What request am I going to see when that when I do that? See so I'm going to cue it. Oh no no no.

[00:05:45]I I forgot to turn on um forgot to turn on the proxy. Okay, that's fine. We we're gonna get to that.

[00:05:53]Okay, so I guess we'll just start with invite member. Oh, and now I'm queuing, aren't I? Yep. Okay, so full name. Let's go test email address. We're just going to do the same one.

[00:06:10]We go. And now let's assign it a viewer role. And I just want to see what these requests are looking like.

[00:06:18]Can we invite multiple users at the same time? Would there would it be different to invite multiple users at the same time?

[00:06:26]Would like the request be different?

[00:06:28]That's that's a good hypothesis right there. Okay. Wrong one. Okay.

[00:06:35]Testing the invite members functionality.

[00:06:47]Okay. Whoops. Is it the same to invite multiple users?

[00:06:57]Let's say members members at the same time as just doing one because there's difference. What would the difference be? And it's an exploitable.

[00:07:11]So, okay, let's see. So, this is what one looks like. You have the email here, roll basic full name. He has this capture token thing.

[00:07:24]Uh, I'm pretty sure they have this token.

[00:07:27]Where is this token? I wonder if this token leaks anywhere because I believe that is the token that's like genuinely affecting like everything that's going on.

[00:07:39]Like I'll I'll show you guys. I believe it is. Let's just forward. Look, let's look at the request real quick. So status pin.

[00:07:49]Can I change the test status from pin to like something else?

[00:07:57]Let's see. Is permission block false.

[00:08:02]Roll basic. Roll basic.

[00:08:05]Okay.

[00:08:08]All right. These findings are just all GraphQL stuff.

[00:08:14]So for now, just invite successfully sent.

[00:08:18]So that leads us to the Oh, right. One more thing. I want to try the add user thing. Is it different if you do two at the same time? Test two. Test two.

[00:08:28]Email address. I'm just going to make them random. Random login.com.

[00:08:35]Roll. Let's just say compliance admin.

[00:08:38]Test three. Test three. Email address random two. Three, I guess. Whatever.

[00:08:46]Logan sec login sack.com whatever this is whatever and we're going to make this one make this an admin now we're going to turn back on again and see what we get I I know I said we're setting ID broken control that's exactly what we're doing just got to set up by understand what's going on with the functionality first so users user is that different from how this looked No, I'd say it's the same.

[00:09:21]B1 B1. Okay.

[00:09:26]Okay. So, doesn't appear to be the same.

[00:09:30]Now, let's just Now, let's look at the request.

[00:09:39]Success. Random. Pending.

[00:09:46]And then you have the second one right here.

[00:09:52]Okay.

[00:09:56]It appears to be the same.

[00:10:00]Appears to be.

[00:10:03]Maybe with something like they'll receive the same email though. If I'm going to test the same email, I need to do real ones. But anyway, I want to see what happens next.

[00:10:12]It's like when I delete one, when I delete a user and perfect thing to do that on is on fake accounts.

[00:10:23]Okay, it's the same one as before. Just this has been changed from post to delete.

[00:10:30]And all I need to do is put the email.

[00:10:34]Okay, I got watch this.

[00:10:38]Actually, I have a hypothesis now. I believe that the only thing stopping me from getting a basic ID door would just be knowing this token. If I can know this token, I believe I can do this cross account.

[00:10:56]Let's let me remove the token and see what happens.

[00:11:00]Where' the token go? Oh, here it is.

[00:11:02]Just remove it.

[00:11:04]Forward. See bad request. Merchant portal invalid session.

[00:11:10]Is that token set on session or is it mean to drop?

[00:11:15]Oh gosh, I just got something so laggy.

[00:11:19]I wonder if the it's going to change now that it's logged me out.

[00:11:25]That actually would be annoying. So, this token should be exactly the same.

[00:11:30]Now I just want to know like what the does the token change because if the token um will change on session like log out then that's going to be not very persistent persistence won't really be there but if the ID is always the same then then that becomes interesting and then it's all about just how do I get the token because I can get the token then and it works cross account then that's like that's good night like that is a bug Okay, so I'm back in sandbox back on settings team members. All accounts are still here. Okay, now let me just try to do a dangerous action so I can just see that again.

[00:12:16]Delete.

[00:12:19]Let's see. I hope token stays the same.

[00:12:21]Nope, the token has completely changed.

[00:12:22]Yeah. Okay.

[00:12:25]Okay.

[00:12:27]So we know that without the token you will be logged out. Okay, let me actually start taking notes on this stuff now. So let's name it like important because this is kind of just more global stuff.

[00:12:45]Token is a required header for requests.

[00:13:00]Without it, if without it, if you try sending a request, you will be logged out.

[00:13:21]However, on logout token previous token will be invalidated.

[00:13:39]And actually, we don't know if that's true or not. All we know is that the token has changed. Is the previous token invalidated? We don't know. So, that's next thing we're going to I'm going to test. I can test that really really really quickly. Just go here. Get this old token because this was a valid token. So we do know that. So this is like this. Oh, right here. First I door test first. We're just trying Wait, does this count as an IDOR test? Broken access control. I don't know. I mean, we're swapping an ID. So hey, I didn't say I was a teacher. This is me bug hunting. Okay, this is how I do it. Call this whatever you want. So I grab the old token. The old token that used to be valid. Now I'm using it here. What happens?

[00:14:20]So yes, they do invalidate the token.

[00:14:26]And now I should be logged out again.

[00:14:28]Exactly. Yep.

[00:14:30]But what if I try the same action again?

[00:14:33]Cuz I was trying a different action.

[00:14:35]What if that was the only reason? Cuz I I don't believe that will be the reason.

[00:14:40]But you need to test for all scenarios.

[00:14:43]Like maybe it really is if I was doing it the same way like post I'm sending a basic I could do that with the same token and delete just uses a different token. I don't know that. So I'm going to log back in and try it with the exact same request.

[00:14:58]Okay.

[00:15:03]Haven't started any cross account stuff.

[00:15:05]I just want to get a better understanding of how on one account works.

[00:15:12]I just want to I really believe recon is the secret to becoming a really really good bug bounty hunter. And the more information you can get about a target, the more you understand, the faster you are, the more efficient you become at learning things and doing good risk reconnaissance, I truly believe that will make you a way better hunter.

[00:15:34]Okay, so try again. Name it um hacker hack.

[00:15:41]Oh, my bad.

[00:15:44]Hack at hack.com.

[00:15:52]Okay. Roll viewer. Now we're going to see. Look at the token. I completely expect it to be a different token.

[00:16:03]Where is? Yep, different token. We're going to do go replay. Get the same old token, but this was the exact same request.

[00:16:11]Let's get that old token right here and plug it in.

[00:16:26]Okay. Yep. Still failing.

[00:16:29]Operation ID.

[00:16:32]That's not the token, is it? That's not the correct token, right?

[00:16:37]No.

[00:16:43]All right. Now, I do it the other way.

[00:16:44]Okay.

[00:16:47]I don't believe so.

[00:16:57]No. Okay.

[00:16:59]Okay. So we can now clear cleanly say that token is required is a required header for requests at least sensitive ones and without it if you try sending requests you will be logged out. However on log out previous token will be invalidated.

[00:17:17]Therefore let's say you're an attacker and you find a way to get a a token. As soon as the user logs out the token will no longer be valid. So you continue you would continue needing to get the new token. if you want to perform sensitive actions. However, we have not tested whether cross account works yet. So, that's the very next thing we're going to do is make sure cross account works with a correct token.

[00:17:39]I believe so, but we're going to test to make 100% sure.

[00:17:45]So, that's what this is. I still use Burp here just because it's easier, but maybe I should use Firefox on my Chromebook. I don't know why I said Chrome. This is a computer. But um because Firefox has allows you to have this thing called multi-containers. So you can have two different sessions.

[00:18:05]It's like two different session cookies and all that in the same browser which makes testing so much easier. Well, testing item and broken access control so much easier. So if you use Firefox, like let me just show you guys this real quick. So if you use Firefox, get this extension. This one right here, the Firefox multi- account containers. Like look at this. Now I'm in account A.

[00:18:28]Now I'm in user B. These are two different sessions. So you can have you can be logged into two different accounts on these things. And then you still have the main one here. Yeah, they they don't have like they don't have anything like that for Chrome though.

[00:18:40]Anyway, I got to set up the target and scope. It's It should mostly just be one thing though, right? Dashboard.rapid.

[00:18:47]I'll just add API.rapid.net as well as well just in case. And then remember, don't include subdomains. Not for this.

[00:18:56]And this the other one is called API, right? Let me check.

[00:19:04]Yeah, API.

[00:19:06]This is the only one that's paying um the high this this is the one the only one that's tier three premium.

[00:19:16]I wonder where API is cuz I don't know.

[00:19:19]Oh, wait. No, don't include subdomains.

[00:19:22]Okay, now we just need to log in.

[00:19:31]And what account I'm going to use? I'm going use Logan sec plus one.

[00:19:44]Bugcrowdninja.com.

[00:19:53]Maybe I should click stay signed in because like I do this so much.

[00:20:10]Okay. So now on this account I am going to try to use a token from account three on account two.

[00:20:28]First off, turn this on.

[00:20:35]Settings.

[00:20:37]Oh, wrong one.

[00:20:41]And now we're going to do some invite member stuff. Going to delete this one cuz testing kind of became corrupted with that one. I was doing some other things and now I'm just not sure if whatever I do on there is cross count or not. So, okay. So, log back in here.

[00:21:03]Do the same thing again.

[00:21:18]Okay, logged in.

[00:21:22]Team members and we're just going to going to add somebody invite member.

[00:21:32]Oh, does it change after that? That another thing another thing. Does the token change after every request or is it per session? I believe it's per session, but let's see. That's another I just got to test these things. Okay, actually I don't even need to create a user. I'm just going to test that. Let me just look.

[00:21:48]I just like to do intercept because it's faster to me than um looking back HTTP history. I just need to do is forward and I did not look at the token. Does the token appear again in here?

[00:22:03]No.

[00:22:04]No, it doesn't.

[00:22:08]Some operation ID stuff though.

[00:22:11]Let me just look here. Okay. Delete.

[00:22:14]What's the token?

[00:22:16]Is this the token? Is this just going to be the token for everything or is that the token for a single request?

[00:22:22]Delete. Okay, now let me just do it again.

[00:22:25]See if token's the same.

[00:22:33]Match token's the same. It's the same on delete though. Let's just drop that. I don't care. I leave that. And I'mma add another account. See? So, let's name it youu email you yo loansack.com.

[00:22:52]roll viewer. I'm just going to see if token's the same again.

[00:23:02]Oh, oops.

[00:23:06]I added it twice.

[00:23:10]So, token's the same. So, it is per session.

[00:23:13]I don't want to invite that guy. So, okay. So, now we know what token is.

[00:23:22]I've already controlled it. So, control seed it. So, um I'm go here. Going to invite a member. Name this guy. Um let's name him Fred. Fred Bob. Email Fred.

[00:23:39]Fred Boblogan.com.

[00:23:45]Roll. No options.

[00:23:49]How come there are no options, bro? What?

[00:24:03]What you mean no options?

[00:24:10]Why have I been blocked?

[00:24:13]I literally didn't do anything.

[00:24:18]What?

[00:24:22]It just logged me out. Why?

[00:24:26]I I don't know.

[00:24:29]Um, what what are we What is going on here?

[00:24:54]sec at bugcrowdninja.com.

[00:24:58]Let me check my email. What is going on?

[00:25:00]That's That's strange.

[00:25:06]Um, yeah, just got the only thing that's been sent to is just email invite that we did at the very beginning.

[00:25:16]I was just using this information.

[00:25:30]Okay. I forgot password.

[00:25:40]Oh my. Okay. Go email. If an account with this email address exists, you'll receive an email.

[00:25:49]Okay, that looked like an error for some reason.

[00:25:56]What is going on?

[00:26:03]Um, bro, you guys saw that I was just in that account.

[00:26:10]Can I say like that account didn't exist?

[00:26:15]What?

[00:26:21]I'm literally checking all mail right now. Checking trash. Checking spam.

[00:26:28]Bro, it's nowhere.

[00:26:33]What in the world just happened? Let's try phone.

[00:26:41]because it does it does exist.

[00:26:45]Okay, we're just on the verge of testing something. Come on. Not don't don't have them here right now.

[00:26:50]Okay. Yeah, they choose right now. Okay, whatever. Whatever. I have more accounts.

[00:27:05]I just use the main one for this purpose for purpose we're using it and for right now it's fine.

[00:27:13]I just like spelled bug crowd wrong. I don't know.

[00:27:26]Okay.

[00:27:33]Okay. What's going on? What's going on right now? Now I'm actually like, what's going on?

[00:27:41]Logan secbugcrowd ninja.

[00:27:47]Like that is the email.

[00:27:50]Let me go here and check. Yeah. Logan sack bug crowd ninja.

[00:27:57]Logan sack bug crowd ninja.

[00:28:06]Why?

[00:28:08]Why are we having these problems?

[00:28:10]Is it something going on with Cali?

[00:28:14]Oh, whoops.

[00:28:17]I mean to do that.

[00:28:22]Let's go and let's try dashboard again.

[00:28:24]Let's try to log in. Let's do this account, too.

[00:28:34]Yeah, this account is fine.

[00:28:38]Let me try any of the other accounts.

[00:28:42]I We were just in this one, bro. What? You saw that? I I tried the exact same password.

[00:29:03]Why? Why is that happening?

[00:29:06]Oh, you know, this is why like actually I was about to blame Burp and say this is why I don't use burp. That had absolutely nothing to do with burp. So, whoops.

[00:29:18]Okay. Um, why did I get two codes for Oh, yeah. Okay. Um, now I'm just going to use Chrome Dev Tools to look at the token. Who cares? It looks a little bit more annoying to me. It's fine.

[00:29:31]Whatever. I don't care.

[00:29:33]Oh, wait. No, I can't do that cuz I can. It's just I don't like it.

[00:29:40]What's going on with Cali, bro?

[00:29:44]I just like, bro. Okay.

[00:29:47]Is what it is. Which Which account is this? This one. Okay. Settings. Team members is what I need to do. Go inspect and you need to go network all and then just create some random bobber burger email address boblogan sack.com roll viewer and now I wish I could like stop it from sending but I don't know how to do that. So I just get the token.

[00:30:22]Okay. So now I need a specific one that contains the token.

[00:30:28]Yeah, this is the response. I think that's the right response. Yeah.

[00:30:32]Now I just need the header because I need the token.

[00:30:40]Here it is. This is the token.

[00:30:42]So now I'm going to do it the other way.

[00:30:43]Instead like this. Grab it.

[00:30:46]Go back here. Oh, wait. No, it's still in here. Just here. And now we're going to go back and run to test it. See if I can.

[00:30:58]Okay.

[00:31:00]Okay. Okay. Should be fine because the other account is still signed in.

[00:31:08]I Okay, let me tell you this. Testing for Idor is not usually this hard.

[00:31:14]Usually accounts will just log in and then when you log them in, they stay logged in.

[00:31:30]That was Yeah, who knows? Maybe I did type in it wrong. Yeah, that's what I typed in wrong.

[00:31:45]What is going Okay.

[00:31:50]Okay. So, I'm going to assume that the problem is you're not allowed to have two different login accounts using the same um IP.

[00:32:09]Genuinely, I don't know. Like, let me try one more time. Maybe it's just bugging.

[00:32:15]Like, hopefully this video isn't like this live isn't just super boring, but this is genuinely what's going on right now. So, okay.

[00:32:30]Now, we're going to go back to Cali and try it here. Let me just see if I can just I reset my cookies. Maybe that'll help.

[00:32:46]Delete.

[00:32:48]Delete all session cookies. Just delete them all.

[00:32:52]I said delete all.

[00:32:55]Okay. Hopefully I did it.

[00:32:58]I'm just going to reopen it.

[00:33:03]Come on, bro.

[00:33:07]Okay. It was not this hard to have two accounts before.

[00:33:15]What account even is this, bro? I don't even remember.

[00:33:20]So, this is account two.

[00:33:23]Okay. Yeah. So, this is plus two.

[00:33:26]Yeah. Okay.

[00:33:35]password.

[00:33:41]Okay, I just need to um just need to verify why why is there no button genuinely?

[00:33:55]What is going on?

[00:33:58]Here you go. Here you go. Turn off the proxy for a bit.

[00:34:21]Yeah. um password.

[00:34:27]There you go.

[00:34:33]Finally got the code.

[00:34:42]Guys, I genuinely don't know what to say.

[00:34:45]Why is it not logging me in? I I I don't know. I Okay, we don't give up so easily though.

[00:34:53]No, we're going to do now. I've just I went into one of those containers I was talking about. Now, this is a new session. This is a session that's never been on this website before password Bro, for security reasons, your account is temporarily locked. Please try signing in later or contact support.

[00:35:40]Of course, of course it is. Of course it is. Okay, one second, guys. Let me check my email.

[00:35:48]See if I got an email I can show you guys.

[00:35:51]Like actually, I'm not even receiving emails. You're just going to temporarily lock the account and not send me an email like, "Yo, by the way, your account's been locked." Or anything?

[00:36:02]Nothing?

[00:36:04]This isn't important. This isn't all mail. This isn't in spam. This is nowhere.

[00:36:12]Why?

[00:36:15]Okay, so that account has been temporarily banned. Am I even still logged in here?

[00:36:23]At this point, I don't even trust this.

[00:36:26]Okay, so I am Let me write down that token before I forget it. I was supposed to use it right away.

[00:36:36]What? Okay, here's the token. It's only going to be a valid for as long as the session is valid.

[00:36:43]And none of my accounts seem to want to work. I just go right back up here and try this again.

[00:36:51]Maybe if I try turn putting on a VPN.

[00:36:54]Maybe that'll work. Okay, this doesn't work here. I'm going try a VPN.

[00:37:02]Oh, wait. This kind of just been temporarily banned.

[00:37:06]Okay, that's fine.

[00:37:11]Oh, wait. No, wrong password.

[00:37:17]Okay. Block banan that account too.

[00:37:21]Okay.

[00:37:22]This account. Okay. I'm I'm logged in on this one. I am logged in.

[00:37:32]Wait. No. No. This is This is plus one.

[00:37:37]Oh, so I was trying to log in the plus two, but I just Why is it banned? What if I just make it something random? 55.

[00:37:49]This account isn't locked.

[00:37:53]What is this? What is going on?

[00:37:58]Okay, we're going Dev Tool. This was supposed to be an ID door video.

[00:38:02]What is this? Why?

[00:38:05]For security reasons, your account is temporarily locked. Please try sign in later or contact support link not opener class.

[00:38:18]Contact support, bro.

[00:38:28]Genuinely, why?

[00:38:32]Okay.

[00:38:34]Okay, I'm going to try to turn on a VPN.

[00:38:36]Okay, just turned on a VPN.

[00:38:39]Now we're going to try again. Just got to clean clear the session first.

[00:38:58]And then after clearing, I'm just going to like open again.

[00:39:05]here we go.

[00:39:13]All right.

[00:39:19]Okay. Now, now the moment of truth. It doesn't log me in here.

[00:39:31]and I get logged in.

[00:39:33]Okay, finally, finally, finally, finally. Is this one still logged in? It's been such a long time.

[00:39:43]Okay, this one's still logged in. Let me check one more time by saying another one of these to make sure that the token has remained the same or does it switch after a certain amount of time? Guess we're about to see.

[00:40:05]Where's it at? Users. Okay. Now, all I want is the header token. Token token.

[00:40:10]Believe the token is the same.

[00:40:18]Okay, I did it wrong.

[00:40:21]What am I doing, bro? Oke.

[00:40:26]How did I capture the to Oh my goodness.

[00:40:30]Okay. Why is everything just like going awkwardly?

[00:40:36]Okay, token same.

[00:40:39]Okay, now I can finally test the one thing I've been wanting to test this entire time.

[00:40:48]Invite member tester. Bob Bobby O Bobby at login.com roll viewer queuing.

[00:41:14]Finally.

[00:41:16]Now, all we need to do is change this token and see what happens. That's all I wanted to do this whole time.

[00:41:32]Okay, let's see what happens.

[00:41:35]200. Okay, success.

[00:41:39]ID Bobby pen.

[00:41:43]Okay, so it does work, but it should not be here.

[00:41:48]See, Bobb's not here.

[00:41:50]Refresh it.

[00:41:54]Bobb's still here. So, yeah, Bobby went over to the other section section.

[00:41:59]Look at this.

[00:42:06]Yep, Bobby. Okay, so we have confirmed after about 30 minutes of complications, we have confirmed that all you need is the token to perform sensitive actions. Well, at least we know to do the create. Is that a bug in and of itself?

[00:42:25]Maybe. But how do you get the token?

[00:42:28]Especially because bug crowd is so big on impact that without it, I don't know.

[00:42:34]So let me write that down with especially because the token is session scoped. It's tied to the session as well with only token only the header token. Let me put this in these um attacker can perform CRUD.

[00:43:00]What does it call it? CRUD operations on invite functionality probably more probably works across entire application. I should probably just put app but application makes me sound more intelligent.

[00:43:27]Okay, so now we have something. Now, if anything, we just want to escalate. How do I how do we steal tokens? How do we find tokens? So, the very first thing I'm thinking is when do the tokens get issued in the signin process. That would probably be the easiest place to steal a token or if we can find XSS, which I have never been able to find in my entire life except for Port Swigger Labs. So, just going to write this as next question. Guess you can also call it chaining. This is what you'd call chaining. When you find a vulnerability that isn't on its own alone isn't enough to be a bug. However, this I guess would you even call this a vulnerability? I don't know. But I find one edge case. If I can find another edge case alone, both those aren't anything. But to combine together, now you have a valid vulnerability. That would be chaining. What we are trying to do now, how can an attacker gain access to a victim's token while it is still validated?

[00:44:41]If we can answer this question with something other than like steal their email or something that's not that's not actually like middleman, don't need to be there. know social engineering then we'd have a valid book.

[00:44:56]Okay, so first off, let's look at the flow. It's going to be so annoying to log back out after I got in, but it is what it is.

[00:45:08]It's all for the content, bro. All for the content. I did the incognito.

[00:45:14]Wrong logout. Okay, it's fine. Whatever.

[00:45:20]Okay. So, we need to map the flow of login to see where this token is issued.

[00:45:26]All right. So, go here password.

[00:45:34]Is this even IDOR if I'm being honest?

[00:45:36]Have we been No. No. That was cross account stuff right there. So, that is IDOR. And now we're broken access control. Whatever. Whichever one you want to call it. I'm just trying to find the chain to complete it.

[00:45:46]So forward, there's like this really big JavaScript file that if I end up getting here, it would just freeze Kaido. So I have to make sure I avoid that.

[00:45:57]And now you've seen the password right here, but whatever. I'll just change passwords later. Um, so you have a few cookies. A token shouldn't already be here.

[00:46:11]see um user agent origin.

[00:46:15]Okay, now we're going to forward go through these requests. We're looking to see where the token gets issued because if the token actually got issued here before we even did the um the phone OTP, then that would also be like final creds issued too soon, which is also a bug.

[00:46:33]It's like for example, if you type in your email, wait, is that the token?

[00:46:40]Is that the token?

[00:46:50]Oh man. Is that token token?

[00:47:04]Um, what if I were to turn that off, too?

[00:47:14]That's something I Oh my goodness.

[00:47:19]Is that the token?

[00:47:25]Oh gosh.

[00:47:28]What was I saying? So, basically, okay, let me finish explaining. So, let's say you log in and the only thing you've typed in so far is you've typed in the victim's email. If you get the final credits, like you get the cookies, you get the headers or whatever you need for authenticated stuff before typing in the password, then you have au you have bypassed authentication and you now have access to the account before you've actually finished authenticating, which is a bug.

[00:47:58]So basically I'm just seeing like can you do that without having to do the OTP which is required because in that case that's how I got the token.

[00:48:10]Okay. Yeah. This just I know that's not what I want. This is what I want. OTP code.

[00:48:17]So that's the token.

[00:48:21]Okay. So do they issue a different token or they just keep it the same?

[00:48:26]What do you mean bad request?

[00:48:29]I typed it in just as I saw it.

[00:48:34]Okay, turn it off. Whatever. No, I do want to see that. I want to see the successful one.

[00:48:45]I don't know why this is being so difficult right now.

[00:48:50]Just work.

[00:49:02]Okay, there you go. So, I'm pretty sure the token just stayed the same. But is there anything here?

[00:49:12]Nothing there. But, um, bro, why' you have to leak my entire phone number?

[00:49:18]Oh my goodness. I'm going to need to go back and blur that. But anyway, is this the same token or they issue a different token?

[00:49:29]You guys probably won't see this whole thing because it would just be annoying for me to blur a small tiny piece. So, I just blur like the whole thing.

[00:49:40]Okay, token's the same. Now, the only thing is does it get changed or does it stay the same?

[00:49:46]It's just forward.

[00:49:49]See what's going on. Which one is it?

[00:49:51]This one. Okay.

[00:49:53]Now, once again, we do not want to get that stuff. That's the I think that's stuff that crashes my computer. Not the computer, just Kaido. But, okay, here he goes. Post users login token.

[00:50:05]Ah.

[00:50:07]Oh, here we go. Look at this. This is that same token.

[00:50:14]Making sure.

[00:50:15]Getting rid of that. Putting this in.

[00:50:18]Yes, that is the same token. Could we skip not this is not idle at all but could we skip the OTP the phone OTP and skip right to this request and put in the token right here.

[00:50:33]That is actually a very plausible attack method. Very plausible. And see the only thing here in the post is just plugin registration prams null. Like that is light work.

[00:50:47]Okay, that is definitely going down as an attack method. That is a that is a really good attack vector. Okay, this is not related at all. So, let's just create something called OMD uh authentication attack vectors like that is a really really good idea. Endpoint Okay. Whoops. Here.

[00:51:20]Okay. And then just header required token header.

[00:51:32]And that's that's it. And now that that is it.

[00:51:36]And then um attack attack vector.

[00:51:44]Um after typing in email plus password user uh no response will contain token.

[00:52:06]use this token on this endpoint.

[00:52:13]Skip OTP and go here.

[00:52:22]If if this logs user user in attacker will have successfully bypassed phone OTP.

[00:52:46]Part of me hopes it works, but part of me hopes it doesn't so I can upload this video today because now we went from like a lot of annoying issues to this is actually some cool stuff. But I mean, I want to pop bugs. So, y'all going to have to wait if this is a bug. So, uh, let's see. First off, oh, what am I doing here? Just go back here. But, um, back here. I've waited so long at this point. It should be fine, though. So, forward 200. Okay. And now does it issue a different token? No, no, no, no, no, no, no.

[00:53:19]Why? Why? This is the really wrong. This is the really long request. I need to capture this request.

[00:53:29]I need to see what this is. I I need to know. Does the token change?

[00:53:36]What's the access key? I don't know, but I need to see this, bro. Yeah. Oh, no. No. No. This it.

[00:53:45]Bro, I need to get my control A. I need to get this stuff. Please, please. We're going to have to wait. We're going to have to wait. I don't know how long this is going to wait. This is going to take.

[00:53:53]So, oh my goodness. But we need to get this. We need to get this. Okay. I think hopefully, look at this. I think I was able to copy it. Now, I think that's JSON. So, I'm just going to go here and type in um response. I mean, I'll know cuz this is not something I usually do.

[00:54:10]JSON.

[00:54:12]Come on. Please. Please.

[00:54:15]You did not put it all in a single line.

[00:54:22]Okay. How do I um format document?

[00:54:28]Let's go. Let's go. Lay slow. Let's go.

[00:54:31]It's all here. I mean, this is super super long. I kind of only need to see the beginning.

[00:54:38]Yeah. Let me just close burp. I mean Kaido because that's just gonna freeze my computer like crazy. I just closed the whole thing. I'll just reopen it in a second.

[00:54:47]So that's just gonna stand up. All right. Now we can finally look at it.

[00:54:52]Let's see.

[00:54:55]So via x param set cookie operation ID.

[00:55:06]Let's look at this.

[00:55:12]Let's go here.

[00:55:14]I go here. Shouldn't be the same as that. No. Okay, that's okay.

[00:55:20]I've never gotten to look at this cuz it always freezes. Alias not applicable.

[00:55:25]ID.

[00:55:28]This is super long. Why is it so long?

[00:55:31]Why is a JSON body so so long? Access key. What does access key provide value to?

[00:55:39]That's actually like I'm about to put some Claude code up too and just see what's going on because why is the response so long?

[00:55:49]Yeah, I'mma got to see organization access key.

[00:56:00]Is sandbox available? False. Catching that is true.

[00:56:05]Okay, I don't really see anything all that.

[00:56:09]This has to be something of grave value for it to be such a long response body.

[00:56:15]Why would the response body to log in be so long?

[00:56:22]Access control allow credentials. True.

[00:56:26]Access control allow origin. This is the only origin we're allowing.

[00:56:34]Why is it red though? I think that just means one problem is in this file. It's just really a large file. I think that's all it is. Okay, I'm about to actually put clog code on that. But first, I just want to see log open backup Kaido. And I just want to see if the access tok if the token is the same because if so, then we have a bug. And then I got to I got to investigate why the response is just so long.

[00:56:59]But okay.

[00:57:01]It should finish loading though.

[00:57:04]Be honest.

[00:57:06]I can't even complain. That That's fair.

[00:57:08]Like that's that's valid. So now I'm just going to get the token. We've already seen everything. So I'm just going to get the token, look at what the token is, and then from there just finish the login. Okay.

[00:57:23]Okay, bro. I need the um I need the verification thing, though. Come on.

[00:57:29]Oh, it just logged me in. That's cool.

[00:57:34]I just need to see like what is the token. Please say the invite token is the same. Come on. Come on. Fred Freddy email redster at Logan Sack.com.

[00:57:52]View roll viewer. Let's see what's that token. What's that token?

[00:58:02]Come on. Come on.

[00:58:08]It looks the same.

[00:58:11]It looks the same.

[00:58:14]But is it the same?

[00:58:20]The token has remained the same.

[00:58:24]That is the exact same token as after we had entered the email password had not done the phone OTP yet. And this is the same token that finishes the login for logging you in. So now we know this is how you get the token. Now that leads to new questions. I like I said in past videos, don't get lazy and report too soon. First off, we could have just reported after figuring out all you need is a token to get the cross cross account. Now, but then instead what we decided to do is we decided to wait and see if there was a way we could access the token. And now we know just that but just by knowing the victim's email and password. You know that's a lot. Let me let me straight up honest that is a lot to know. We just need to know that and then we can get the token verify. But we can skip one of Rapid's other verification things that they do have, which is they require every single user, unless you turn it off, I believe, to have to enter a phone password to finish your login. If we can use this token to bypass that, or maybe we can just use this token to still do things on the back end using the um using Burp request responses, we can still use stuff. then we've basically gained access to another person's account without having access to their phone, which is supposed to be the final line of security defense.

[00:59:50]Okay, so at this point, this should be a bug. This should be a bug. But first, let me just make sure like this this function worked.

[00:59:59]We just forward 200. Okay, let's go.

[01:00:06]This is good. This is good.

[01:00:08]successfully sent.

[01:00:11]Okay, that is good. That is good.

[01:00:16]So, we do have a few things to test now.

[01:00:18]We do have some things to test first. Obviously, write that down. Write that down for sure.

[01:00:28]Okay, let's start here, though.

[01:00:36]So this was just a note but just going to write note.

[01:00:41]All right. So confirmed.

[01:00:48]We put like a the when attacker types victim email plus password.

[01:01:04]The response will contain the token.

[01:01:15]This token will not change after OTP verification or on final.

[01:01:36]End final path login.

[01:01:41]Oh, I hate when it's like that.

[01:01:47]Token can be used for all the invitation functionality.

[01:01:59]probably works for all functionality has not been verified though.

[01:02:10]So now we just want to know can we skip OTP?

[01:02:14]That is now the big question. If this logs user in attacker will have successfully bypassed phone OTP which is the next thing we want to figure out.

[01:02:23]So, have I sent Did I send that request to response?

[01:02:28]I have so many of these online. Yeah, here it is. I'm just going to delete all of these. Like, what the That is a lot. Okay, now I just want to see this. That's it.

[01:02:40]That's it.

[01:02:43]So, we're going to log out and see this.

[01:02:46]If we have this, then that is a bug. And I'm probably not going to report it yet cuz I think I can get like some mass eye going on. Okay, I'm glad I didn't do this in the morning. I decided to get this get this live because this is this is big. This is big.

[01:03:02]Okay, make sure testing is completely good. I'm go back in here. Make sure I reset the cookies.

[01:03:08]Clear. Clear.

[01:03:11]Okay, refresh.

[01:03:15]Okay, verify.

[01:03:20]And now we're gonna try it.

[01:03:29]Oh, I wish I kept some of the I can find them. It's fine. I But I was going to say I wish I kept some of the requests from um like invite delete users. That way if I don't log in the UI, I can test like backend stuff.

[01:03:43]Okay, this will obviously work.

[01:03:50]And now we have the new token and it sent me the phone OTP. So you can't turn off phone OTP because it's already sent after the request is sent, not after response. But maybe you could bypass it just by changing that. I don't know. But probably not. So let's go token.

[01:04:11]Just name this test. And now uh token.

[01:04:17]Yeah, that's the new token.

[01:04:19]Now we can just forward.

[01:04:26]We can turn off queuing for a minute.

[01:04:29]And now here I have an idea. It's a little interesting. So what I'm going to do, I'm just going to type in a random random code.

[01:04:41]I did not verify was human first. Oh, I can just do it now. Okay, nice. So, and then this would be the request. What I'm going to do is I'm going to go to replay. Instead, I'm just going to grab this.

[01:04:53]I'm just going to put it in here.

[01:04:56]Just completely change this request.

[01:04:59]And I just need to change the token to the one we just got.

[01:05:12]There we go. There's only one space, right?

[01:05:16]Yes. One space. Okay. And now for the moment of truth.

[01:05:22]400 bad requests.

[01:05:26]Did not work.

[01:05:30]Huh.

[01:05:33]Interesting. Interesting. Interesting.

[01:05:38]Okay.

[01:05:40]I mean, I'm not going to like take that.

[01:05:42]Just, you know, I'm just going to remove a few things. Let's see what happens.

[01:05:51]Okay, here's a login token.

[01:05:54]Did it just No.

[01:05:58]No way. Right. No.

[01:06:02]Yeah. Another bad request.

[01:06:04]Let me just These are probably all going to return 400. Yeah. So, I'm just going to end queuing.

[01:06:20]Okay. So, that did not work.

[01:06:23]Okay.

[01:06:25]So, maybe I can't change it to change it to um change it like that. Okay. Maybe I just need to do it in the replay. I'm not giving up yet.

[01:06:38]Not giving up yet.

[01:06:42]So, try it again. Wrong one. Wrong email.

[01:06:52]Turn this back on.

[01:06:58]Okay, we got that one first. It's not usual, but okay. This one forward.

[01:07:08]Get that token.

[01:07:13]Got the token.

[01:07:18]Going to forward.

[01:07:23]I keep queuing on. Why not?

[01:07:26]I'm going to try to replay it here instead.

[01:07:33]Oh, maybe it's cuz it has the old it had the old cookies. Let get some new cookies.

[01:07:45]Okay. Yeah, let me get these new cookies.

[01:07:53]Cookies are kind of smaller.

[01:07:56]Oh. Huh.

[01:08:02]I'm just going to see what happens though.

[01:08:07]Got a bad request. Is it Is it because the cookies?

[01:08:12]Do you receive more cookies after you put in the OTP?

[01:08:24]Incorrect OTP.

[01:08:26]Does this have more cookies?

[01:08:34]No, less cookies.

[01:08:39]Okay.

[01:08:46]Okay.

[01:08:50]I think I know what's going on.

[01:08:53]So, you do get the token. However, you can't log in cuz you receive more cookies and those cookies are required for you to then you have enough cookies to actually do that request is what I believe is going on. So now I'm going to put in the correct code and I'm going to see if it issues more cookies.

[01:09:28]Oh yeah, I'm looking at the phone number again. Okay, one second. Okay, so I don't see where it's issuing more cookies.

[01:09:42]And then this is just the final one.

[01:09:44]Looks the same.

[01:09:47]How are these cookies different?

[01:09:50]What's different? What's different?

[01:09:54]Why did mine not work?

[01:09:58]Yeah, cookies are now smaller.

[01:10:01]Let me use the same token again.

[01:10:05]How does it know?

[01:10:08]Is this going to work?

[01:10:11]Yeah. How does it know? How did it know that I have now completed the OTP?

[01:10:20]Does this not freeze my computer? Doing here is not freeze computer.

[01:10:24]But how did it know that I filled in the OTP? These are the same cookies, correct? Yeah, same cookies.

[01:10:34]Same token.

[01:10:37]How did it know?

[01:10:40]How did it know?

[01:10:44]I don't understand.

[01:10:48]I don't get it.

[01:10:53]Okay.

[01:10:57]Yeah. I don't know.

[01:11:00]I don't know. Okay. So, that at least that is off the table.

[01:11:08]Okay. So, failed.

[01:11:12]Did not log user in.

[01:11:15]But you can still check backend commands. Will those work? So that's the next thing to try. So it's pretty much going to be the last thing to try for this um for this live.

[01:11:28]We still do have something. You have to remember that. I mean, we still have the uh way to get tokens. Oh, wait. No, no.

[01:11:34]I'm testing to actually work right now.

[01:11:35]My bad. My bad. So if this fails, then we got nothing. So let's see. Invite member. Let's name him um Sarah.

[01:11:46]Sarah Jones.

[01:11:50]Oh yeah. Sarah um Jones goes here. Yeah.

[01:11:54]Yeah. You're just John's. Whatever.

[01:11:55]Okay. Um Sarah Sar Logan.

[01:12:02]How come? Okay.

[01:12:04]Viewer.

[01:12:05]All we need to do is just capture this and then just put in the repeater.

[01:12:13]It's going to replay now. I just recapture the recapture token. Really shouldn't matter at all, right?

[01:12:28]Can I remove and it still works?

[01:12:32]Let's see.

[01:12:41]Okay. So, the recapture token is needed.

[01:12:42]Yeah. Error. Google recapture validation failed.

[01:12:50]Okay.

[01:12:53]Can you reuse the same token again though?

[01:13:01]That's all I want to know. Let's just change to Jesse and this to Jesse.

[01:13:12]And now just use the same recapture token. False. Okay. So recapture token can only be used once.

[01:13:25]Okay. So, put that under important can only be used once. Okay. So, I will need a second account to test this because I'm going to need that second account's recapture token. Oh, we should already be logged in here. Never mind.

[01:13:44]Never mind.

[01:13:46]Okay, but we're good because Okay, I just need to think about I'm going to test this.

[01:13:52]So, we test We just need to get the token. That's it. We just need to get the token.

[01:13:57]So, I can do this here. Okay. So, now that I have Wait, where the heck is the token? Okay. No, token's in here.

[01:14:06]Token's in here.

[01:14:08]First one failed, but this one succeeded. Okay, first error. And therefore, we have the token. Where's the token?

[01:14:16]Right here. Okay.

[01:14:19]So, what we're going to do is we're going to sign out.

[01:14:23]Did I never turn that off? Okay.

[01:14:27]And now we're going to go to our other browser here. This incognito one and we're going to need to use inspect.

[01:14:35]That's fine.

[01:14:37]Cuz I'm like the goat with dev tools.

[01:14:38]Trust. So here password log in.

[01:14:51]Why did it take me here? I just got to find the login. I just need to look at the response. There it is. There's the token.

[01:15:01]I just grab that token.

[01:15:04]I go over now. I'm just going to log into different account.

[01:15:19]Okay. I don't want to see anything go wrong right now. Oh, hopefully I didn't just jinx something. That would suck.

[01:15:36]Oh my good. Oh my gosh. Oh my goodness.

[01:15:41]Okay. Oh, I just dropped my phone like I typed the code. Why are we doing this once again though? I am right about to test something.

[01:15:51]Bro, come on. Of all the times to like have these dumb errors, bro.

[01:15:59]Just log me in. I'm like, actually, bro, it's genuinely going to be like this right now. It's genuinely going to be like that.

[01:16:26]like, oh my, bro. Okay, I'm going to try the whole VPN thing again. Okay, now let's try it.

[01:16:38]Like genuinely, we are on we right on to something. Now is like the worst time to be running into the same login errors.

[01:16:47]Like actually, bro, why did it just open up Dev Tools out of nowhere?

[01:17:06]Did I write down the token? No, it's fine. It should be my copy thing.

[01:17:12]just work. That's it. We are right. We are at the finale. We are at the climax.

[01:17:23]Okay, I got the login. That is so weird.

[01:17:28]But okay, so now finally go set. Oh, we need to turn sandbox.

[01:17:33]All right. Now, go settings, team members, roles, invite member, Houston. Spelled horribly. Houston spelled wrong as well. I don't even care at this point. You yo at logan.com.

[01:17:54]Roll viewer.

[01:17:57]It's finally time to see.

[01:18:00]Will this work?

[01:18:11]change the token.

[01:18:15]Whoops.

[01:18:21]Here we go. This is what everything we've done today has come to.

[01:18:33]invalid session.

[01:18:42]But maybe we got blind XSS.

[01:18:45]That's all I can hope for is blind XSS.

[01:18:51]This will be the very last thing I check is whether this worked or not.

[01:19:00]Okay, we are now playing on blind XSS.

[01:19:06]Even though it said it failed, did it actually succeed?

[01:19:17]Here we go. I'm in. Oh, turn sandbox on.

[01:19:24]Did not succeed.

[01:19:28]Okay. So when attacker let me update my notes.

[01:19:35]When attacker types victim email plus password the response will will contain the token. This token will not change after OTP verification or on final post path thing. Token can be used for all invitation functionality. Probably works for all functionality.

[01:19:51]However, before OTP verification token is not valid.

[01:20:10]OTP verification must be completed before token becomes valid.

[01:20:25]Okay.

[01:20:27]And I know I said to end it right here, but I'd like to get Chad's well Claude's um opinion on this. So token is required in request the same. Okay, I'm just going to this all my board notes should be right here.

[01:20:46]So let me just see if I can just go right to cloud and see what it has to say. Try control seed it.

[01:20:54]Okay.

[01:20:59]Uh thoughts until it thoughts.

[01:21:04]Okay.

[01:21:11]What do you think?

[01:21:13]Personally, I don't know. This is It's definitely something, but all I have is the fact that you can do cross account actions with just a token. And I found a way to get the valid token. However, the token doesn't become valid until the user is actually logged in, which you know, we have stuff. We also have some roadblocks in between it. This is a solid finding.

[01:21:38]Let me break down what you've got in the severity implications.

[01:21:42]What you found core issue. The token header is essentially a session token that is returned in the login response before OTP verification completes. Does not rotate after OTP verification. Does not rotate after the final login step.

[01:21:55]grants full CRUD across the invite functionality and likely the whole app with just this one header. So then there's the attack chain key vulnerabilities token pre-issuance before MFA completion token shouldn't exist or be usable until the flow until the full offflow completes issuing it preotp is the root design flaw however remember it's not usable yet though token non-rotation token should rotate at each off stage missing token binding no IP binding no device fingerprint or other contextual validation on the token.

[01:22:32]That might be true. This might actually it might have something. I don't know. I don't believe so. Probably not. Next question. You're asking, "How can attacker gain access to victim's token while it is still valid? Possible angles to explore and document credential stuffing.

[01:22:48]Tagger has cred token pre OTP." No, that's not good. Like, no, because it's still not valid till after you type in OTP. Response interception middleman.

[01:23:01]Okay, that's not that's not um allowed.

[01:23:04]XSS, that's that's allowed. Logresponse leakage, which would probably be the best way of finding it. Refer header leakage, another good one. Account sharing flow. Invite mechanism itself leaking tokens. These are some good ones.

[01:23:19]Severity assessments is likely high or critical because bypasses MFA entirely if attacker has credentials. No, it doesn't. What wasn't it in there that it doesn't like bro? Okay. Report framing tips leave with okay chain it.

[01:23:35]Okay. Um no even though it issues token preotp completion completion.

[01:23:53]The token does not become valid until after all caps the OTP verification is completed successfully.

[01:24:13]Let's see what it says because this is the main thing is this.

[01:24:25]Okay, there we go. Good clarification.

[01:24:27]This changes the picture. Let's reassess. So, the real bug is token non-rotation. The token issued preotp is the same token that becomes valid post OTP. It should be replaced with a new token after successful MFA completion.

[01:24:40]the actual attack scenario. For this to be exploitable, the attacker needs known victim's credentials. See, like that's that's a pretty big thing. And then initiate the login to capture the pre-OOTP token. Wait for the victim to log in themselves and complete OTP. That same pre-capture token is now valid.

[01:24:59]Yeah, this is a essentially a race/ session fixation style issue. The attacker fixes the token. Victim unknowingly unactivates it. Revised severity still high but exploitability condition is narrower. Attacker must already have credentials. Must be able to initiate login before victim does.

[01:25:17]Victim must then log in and complete OTP. The key question for your report.

[01:25:23]Does initiating login with attackers request invalidate or interfere with victim's own session/lo flow? Yeah, I'd say most likely no. Most likely the answer to this is going to be no. But hey, we can test it really fast. So, let's see.

[01:25:41]Just log out of this account real quick.

[01:25:44]I know we said we were just we were going to end it, but like I just got to test that real quick.

[01:25:49]So, all we need to do is just I don't even need to use burp. Just use network tab. Just that is still.

[01:26:09]All right.

[01:26:12]Here is the login response.

[01:26:17]That is the token. Now we just need to see if the same token when I do a different login.

[01:26:22]Let's see.

[01:26:39]Why is it changing me over to sources? I guess it doesn't really matter.

[01:26:44]Okay, token is excuse me token is now 2917 and token here is 9055. So the answer is no. Okay, doesn't invalidate or interfere?

[01:27:08]No, just tested.

[01:27:13]Okay.

[01:27:17]So that is now no longer probable. That is now no longer a probable attack vector. We have now know that that is false. Okay.

[01:27:31]Okay. That's confirmation you needed.

[01:27:32]This is a clean session fixation bug.

[01:27:35]Why this is severe? The MFA is completely neutralized as a security control because the attacker never needs to touch the OTP. Victim has no indication anything is wrong.

[01:27:46]Okay. Does logging out on victim's side invalidate the attacker's token? Yes.

[01:27:53]On log out previous will be invalidated, but that's the victim's logout, not the attackers. Worth testing.

[01:28:00]Change this fair to impacting report.

[01:28:02]Okay. So, let's just log in on both and see what happens.

[01:28:05]Okay.

[01:28:07]Now we're just testing session fixation books, which is pretty much I guess what we've been doing the whole time.

[01:28:23]Oh, it's weird.

[01:28:30]Try the other one now.

[01:28:38]Okay, let's um let's try that now.

[01:28:43]Oh, that's what it takes you.

[01:28:46]Oh my goodness, it's been an hour and a half now. Okay, log in on two different accounts.

[01:29:02]See if it logs me out anymore.

[01:29:09]We are not back to this. We are now back to this where it's going to act like this and do all that crap. Okay. Um yeah, I'm just going to assume I'm just going to end the video here. I'll continue testing this later. Be honest, I don't believe this test is going to work. But so all we have verified in this video is that if you are somehow able to gain access to the token without doing things like middleman or social engineering, you will be able to perform actions cross account. If you like this video, make sure you subscribe. Make sure you also fill out the form in the description if you want to be if you want access early access to the the script I have the JS script JS automation script that I have and probably some other things I'm also going to add to that that link will be in the description for that as well and I'll see you