#NahamCon2024
HTML-код
- Опубликовано: 6 июн 2024
- LIKE and SUBSCRIBE with NOTIFICATIONS ON if you enjoyed the video! 👍
For many hackers, changing the redirect_uri to an attacker-controlled host is the only attack they know. But in 2024 it won't work. We have to work harder - exploit and chain multiple smaller bugs together to get the account takeover. Those chains will be the topic of this talk.
📚 If you want to learn bug bounty hunting from me: bugbounty.nahamsec.training
💻 If you want to practice soem of my free labs and challenges: app.hacking.hub.io
🔗 LINKS:
📖 MY FAVORITE BOOKS:
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities -amzn.to/3Re8Pa2
Hacking APIs: Breaking Web Application Programming Interfaces - amzn.to/45g4bOr
Black Hat GraphQL: Attacking Next Generation APIs - amzn.to/455F9l3
🍿 WATCH NEXT:
If I Started Bug Bounty Hunting in 2024, I'd Do this - • If I Started Bug Bount...
2023 How to Bug Bounty - • How to Bug Bounty in 2023
Bug Bounty Hunting Full Time - youtu.be/watch?v=ukb79vAgRiY
Hacking An Online Casino - youtu.be/watch?v=2eIDxVrk4a8
WebApp Pentesting/Hacking Roadmap - youtu.be/watch?v=doFo0I_KU0o
MY OTHER SOCIALS:
🌍 My website - www.nahamsec.com/
👨💻 My free labs - app.hackinghub.io/
🐦 Twitter - / nahamsec
📸 Instagram - / nahamsec
👨💻 Linkedin - / nahamsec
WHO AM I?
If we haven't met before, hey 👋! I'm Ben, most people online know me online as NahamSec. I'm a hacker turned content creator. Through my videos on this channel, I share my experience as a top hacker and bug bounty hunter to help you become a better and more efficient hacker.
FYI: Some of the links I have in the description are affiliate links that I get a a percentage from.
BBRE guy is the only person who cares about eyesight of content consumers, he used large fonts which we can read easily
18:24 if anyone else was also confused when he says POST-AUTH REDIRECT he is talking about after the Oauth dance is over, he doesnt mean POST based oauth flow.
Even though the state parameter is present in the request you should always check for CSRF I've found many targets vulnerable to this . Most of the people leave as soon as they see State parameter in the request. This happens because of misconfig in OUath flow where it doesen't validate the state parameter server side . It only checks if it is present or not.
Also the login csrf is still possible because we still have the state and we can send it to the user
very true! The presence doesn't mean it's checked
Thanks Ben!
this was nice
most site now uses strict url validation on redirect_uri not even extra dot can be added btw thx greg
Thanks Ben and Enjoooooooy 😊
I love and enjoy hearing him say enjoy
@@ZarakKhanNiazi All of us like it 😁✌️✌️✌️
Hey brother can you add these to the playlist
Second