⚠️ Tools and techniques discussed in this blog is only meant for educational, ethical vulnerability research purposes. Author not responsible for any misuse!

Why firefox containers ?

• Helps during testing of multi-role bac testing where you generally constantly switch between different browsers and quite time consuming.
• Using firefox containers, you can create many separate profiles (each isolated from one another), giving you separate session, cookies , tokens for authenticated users of various roles & privilege levels.
• Reliable and effective setup for IDOR/BAC/Priv Esc testing.

How to check it's working or not?

1. First open two tabs of webhook.site in chrome. Both will have same unique URL/ID.

2. Next open 4 container profiles in firefox. And now compare the IDs, all have different sessions , cookies and webhook site ID.

Finding programs for IDOR/BAC/Priv Esc/Business Logic Testing

Self hosted VDP/BBP Programs

Before proceeding, read the policy page carefully.

Learning from disclosed reports

cwe:("Improper Authorization") AND substate:("Resolved") AND disclosed:true

If you just keep following and reading the hacktivity disclosed reports, keep applying it to the app you are testing over and over, tbh it's sufficient to get a coverage of various scenarios.

Use LLMs and design checklist for BAC Testing

For XYZ, design checklist of test cases which I need to test manually, focusing only on broken access control and priv esc testing.

Tabular format output.

Provide in-depth context of the app & you will get better checklist

You provide the information of roles, app logic and context. Ask it to design test cases for you. This is mainly for beginners who might get stuck while starting. With time, you need to observe , note down and design various test scenarios yourself based on how the application works.

The more complex the app, more hidden scenarios to be tested which the internal testing team won't find everything mostly because it is time consuming, there are regular updates to the software, too complex to cover everything. May not be specialized in each and every vulnerability class with same depth of knowledge

Burp Extension (Autorize)

How to go to next level ?

• Whatever feature you are testing, if you are from programming & development background, create a small snippet for only that feature. This helps not only in understanding the flow of that feature, but you will become a good white box tester as well apart from just black box testing which is quite saturated compared to white box. In case you find a particular pattern that is repeating in various apps (same developer , same mistake, various feature / codebases), you can scale the test and get various CVEs as well.
• Perform OSINT of the program through their product newsletters & social media to get latest updates of new features. This will help you to be one of the first few folks to test it and avoid duplicates.
• Check their Github page. (Tech stack/endpoints/clues for futher recon)
• Even if you don't know Android app testing or not interested, just learn how to decompile and extract endpoints atleast. Then compare the endpoints to your web app, if you find an endpoint which you didn't found during normal workflow of the web app, immediately test that.
• Pay special attention to programs which don't fall into wildcard domain category, most normal hunters are just after XSS and wildcard scopes. Example if the scope just contains 1–2 stuff like app[.]example[.]com
• Few top hunters hunt on out of scope targets as well, now this may not accepted or might get you in trouble, but some don't care, they find endpoints from out-of-scope stuff and use them in in-scope targets. While some directly report in out-of-scope and even getting paid for it, because some programs accept if the researcher is famous/well-reputed and the report qualifies under critical severity. And somehow the out-of-scope report has an impact on in-scope targets. It's upto you and definitely not advised to do so, if you won't want to get into any trouble & getting banned.

BAC can be easy, but finding the endpoints, testing each and every requests can lead to burnout often

Not a scalable vulnerability class for complex apps! If you want your business to be running & functional, reward external security researchers because a single tester cannot be skilled in everything with same depth and neither has time for everything!

Pentesting is about coverage, bug bounty is about depth 🤘