Hunting IDOR with Z-winK (Part 2)

Abstract:
Welcome to the fifth piece in Bugcrowd’s LevelUpX series! Our speaker in the series is Z-winK. In this presentation, Z-winK will build on his latest series (check it out here) and will take you through a deeper dive into hunting IDOR (Insecure Direct Object Reference) for big dollars.

Bio:

I started tinkering with computers when I was about seven. The PC components were each about the size of a laptop at that time, and the internet was a series of massive computers connected through screeching dial-up modems.  My father managed our AOL (dial-up service) account at the time, and when I asked him to create me a user, he used the automatic username creation feature and “ZwinK” was generated and born. I ended up using the name while gaming all through the 1990’s and 2000’s, and it just stuck.  Much of my computer background came from online gaming and all that entails.

I bug bounty hunt from Windows OS, which I think is fairly unique in the field.  Because I started on computers so long ago, I grew up on ancient IBM machines running DOS and Windows v3.0, and progressed through the Windows evolutions. To me, it’s an efficiency thing, not a security thing. There is very little I don’t know about the operating system and this allows me to be very, very efficient when bug bounty hunting. You don’t need to run Kali Linux to make $500,000 a year hacking, just an OS you can use well.

Fast forward 30 years and I am now 37 – which is  well above the average age of most bug hunters. While I do have college degrees, they aren’t in “computer science”, and I also possess zero cyber security certifications because I don’t value them. I live on the east coast in the United States, and bug bounty hunt part-time. I have a great full-time position as a web penetration tester, which I actually obtained via hacking a program through Bugcrowd.  Pretty sweet right?

I started bug bounty hunting with Bugcrowd in October of 2020 – and for reference, that was the year all the toilet paper ran out.  So I’ve been at this for about 1.5 years now.  I made $100 my first month bug hunting and over $100,000 last month.  That’s ludicrous right?  Well, I’m here to tell you it’s not magic, it’s mostly broken access control issues. The great thing about crowd-sourced security is that everyone brings something unique to a target, and this is the attack vector I feel rather artisan-level at, if it’s possible to be artisan-level at swapping IDs out.

Want to get involved?
We’re always looking for researchers and hackers like you who have tips, tricks, and skills that you want to share with the community! If you have any questions, or would like to participate with LevelUpX, please reach out to researcher.marketing@bugcrowd.com