Wow awesome. Thanks will keep that in mind. Just keep me sending more of
your tips. I guess I will love this subscription a lot. :)
On Wed, Jul 4, 2018, 10:04 PM Edwin <contact@xxxxxxxxxxxxxx> wrote:
Hey everyone, If you submit a report and want the triage team to quickly
triage your report, include your test credenetials in the report. This is
especially useful if user permissions and roles are involved. Here is an
example:
---------------------------------------------------------------------------
Hi team, I discovered an insecure direct object reference in example.com
via the id parameter on /account/settings. ## Steps to reproduce 1. Sign in
using user@xxxxxxxxxxx:password1234; 2. Navigate to /account/settings; 3.
Save the user details and intercept the POST request with your proxy of
choice; 4. Modify the id parameter to 1337 — this id belongs to
admin@xxxxxxxxxxx; 5. Forward the request and then sign in as
admin@xxxxxxxxxxx:password1234; 6. You should see that admin@xxxxxxxxxxx's
settings have been modified to ... ...
---------------------------------------------------------------------------
I think you all get the idea now. Basically, as a triager what this allows
me to do, is quickly replicate the exact steps that you took. This is also
particularly useful if you have stored XSS or an issue that we can no
longer reproduce, but see the payload fire using your account. Hope that
helps some of you out, please feel free to submit questions to this thread
and suggestions for future tips. - Ed
